Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
The Internet Your Rights Online

Alternative Browsers Impede Investigations 720

rbochan writes "Allegations in an article over at CNET propose that alternate browsers such as Firefox and Opera impede law enforcement and investigation efforts because they "use different structures, files and naming conventions for the data that investigators are after", which can "cause trouble for examiners.""
This discussion has been archived. No new comments can be posted.

Alternative Browsers Impede Investigations

Comments Filter:
  • by TripMaster Monkey ( 862126 ) * on Thursday September 01, 2005 @03:38PM (#13457986)

    This is one of the dumbest articles I've read in a while...

    From TFA:
    Internet Explorer hides nothing from police and other investigators who examine PCs to discover which sites the user has visited.
    Implying that 'alternate browsers' such as Firefox and Opera, 'hide' data? Shenanigans! These other browsers don't 'hide' anything...you just have to know where to look.

    Also from TFA:
    These programs use different structures, files and naming conventions for the data that investigators are after. And files are in a different location on the hard drive, which can cause trouble for examiners.
    You can't be serious. If it's this easy to thwart the authorities, maybe I should tender my resume.
    God help these 'professionals' if a suspect's computer happens to run Linux...which brings up a disturbing thought...is the presence of a 'non-standard' browser or OS now going to be 'suspicious' to investigators, because they can't seem to penetrate its 'arcane secrets'?
    • by account_deleted ( 4530225 ) on Thursday September 01, 2005 @03:39PM (#13458005)
      Comment removed based on user account deletion
      • by Anonymous Coward
        Well, you just proved the authors point.

        On the BeOS version of Firefox it's ALT+H, not CTRL+H! ;)
      • by Valiss ( 463641 ) on Thursday September 01, 2005 @03:48PM (#13458140) Homepage
        Oh come on, it's nearly impossible to find the URL history! Ctrl-H is a very, very complex cracking method.


        Good job. Now you've flagged yourself and the FBI is undoubtedly on its way. Giving away what is most likely a National Secrect! Please don't let them look here [mozilla.org].
      • by Florian Weimer ( 88405 ) <fw@deneb.enyo.de> on Thursday September 01, 2005 @03:57PM (#13458250) Homepage
        Oh come on, it's nearly impossible to find the URL history! Ctrl-H is a very, very complex cracking method.

        Digital forensics is performed offline. You don't run the browser software to read its history.

        However, I fail to see how this would create problems for law enforcement. Most of the interesting data is readily available. And the data formats haven't changed that much since the days when Netscape was the dominant browser.
        • by SeaFox ( 739806 ) on Thursday September 01, 2005 @04:41PM (#13458719)
          However, I fail to see how this would create problems for law enforcement.

          Maybe their forensic tools can extract the browser history from the file and the software isn't aware a bookmarks file doesn't have to be named "favorites".

          At least I hope that's the issue.

          Tip for Kiddie Porn addicts: Keep your vids in someplace besides the "My Videos" folder. The authorities will never be able to find them if they're "hidden" in some other folder.
          • I keep all my kiddie porn in C://ROOT on my Windows box. Keeps the FED's out. I Also run a skin that makes windows look like OS X and an IE skin that makes it look like Firefox. My firewall/routers pass is Login/Password - they never guess that

            The Spooks are confused as hell. In fact, the last time I was investigated, one of the Detectives said "Fuck this!", whipped out his own high powered magnet, and aced my computer.

        • by grahamsz ( 150076 ) on Thursday September 01, 2005 @04:50PM (#13458805) Homepage Journal
          In some states, parole for sex offenders can require that they don't look at pornography.

          Their parole office will drop by periodically and check their PC. They have some sort of forensic software that does this.

          I've heard some jurisdictions require that you only run Windows on your computer as a condition of your parole. Logically this translates to going back to prison for owning a knoppix cd.

          There simply aren't the resources to train all parole officers in computer forensics, expose them to various obscure operating systems, or to perform regular offline analysis of offenders hard drives.

          The resources are (probably) there for big cases, but when there are probably close to half a million sex offenders on parole - it's just not practical.
          • So, how hard is it to hide a 4 GB flash drive full of porn?
          • That's just as good an excuse as saying "you need to buy Office 95 because we can't read your Office XP files with our copy of Office 95."

            It's up to the government to get with the times and update their forensics software. If their software vendor can't do it for them (no pun intended) then change vendors.
        • by zerblat ( 785 ) <jonas&skubic,se> on Thursday September 01, 2005 @05:17PM (#13459040) Homepage
          The problem is that Mozilla uses Mork [erys.org] to store the history, and Mork databases are more or less impossible [livejournal.com] to extract usable data from. So you don't really have much of a choice ;)
          • by k12linux ( 627320 ) on Thursday September 01, 2005 @07:34PM (#13459960)
            Yep, you're right zerblat. I went to search.cpan.org and did a search for Mork. And I have to agree law inforcement couldn't possibly come up with a perl prog like this one:

            ------------
            #!/usr/bin/perl -w

            use File::Mork;

            my $mork = File::Mork->new('history.dat', verbose=> 1)
                || die $File::Mork::ERROR."\n";

            foreach my $entry ($mork->entries) {
                  while (my($key,$val) = each %$entry) {
                        print "$key = $val\n";
                  }
                  print "\n";
            }

            ------------
            BTW, I do realize that your post was sarcastic... as is this one.

            Works perfectly if run in the same directory as history.dat and produces output like:

            ID = 388D
            URL = http://www.google.com/ [google.com]
            Hostname = google.com
            LastVisitDate = 1125064549
            FirstVisitDate = 1125064549
            Name = Google

            It should be left to guru perl coders making $500,000/yr or more to do fancy things like convert timestamps to dates.

            I guess it's a good thing that there are no tools available for Windows that auto-clear IE history, cookies or cache files! What would law enforcement do??
            • by smeenz ( 652345 ) on Friday September 02, 2005 @05:37AM (#13462677) Homepage

              Now THIS is funny - from the File::Monk man page:


              THE UGLY TRUTH LAID BARE ^

              Extracted from mork.pl

              In Netscape Navigator 1.0 through 4.0, the history.db file was just a Berkeley DBM file. You could trivially bind to it from Perl, and pull out the URLs and last-access time. In Mozilla, this has been replaced with a "Mork" database for which no tools exist.

              Let me make it clear that McCusker is a complete barking lunatic. This is just about the stupidest file format I've ever seen.

                            http://www.mozilla.org/mailnews/arch/mork/primer.t xt [mozilla.org]
                            http://jwz.livejournal.com/312657.html [livejournal.com]
                            http://www.jwz.org/doc/mailsum.html [jwz.org]
                            http://bugzilla.mozilla.org/show_bug.cgi?id=241438 [mozilla.org]

              In brief, let's count its sins:

                      * Two different numerical namespaces that overlap.
                      * It can't decide what kind of character-quoting syntax to use: Backslash? Hex encoding with dollar-sign?
                      * C++ line comments are allowed sometimes, but sometimes // is just a pair of characters in a URL.
                      * It goes to all this serious compression effort (two different string-interning hash tables) and then writes out Unicode strings without using UTF-8: writes out the unpacked wchar_t characters!
                      * Worse, it hex-encodes each wchar_t with a 3-byte encoding, meaning the file size will be 3x or 6x (depending on whether whchar_t is 2 bytes or 4 bytes.)
                      * It masquerades as a "textual" file format when in fact it's just another binary-blob file, except that it represents all its magic numbers in ASCII. It's not human-readable, it's not hand-editable, so the only benefit there is to the fact that it uses short lines and doesn't use binary characters is that it makes the file bigger. Oh wait, my mistake, that isn't actually a benefit at all.

              Pure comedy.
      • CTRL +H closed my Opera session you insensitive clod!
        Luckily it also popped-up everything I had open with a restart. ;)
      • by Shads ( 4567 ) * <shadusNO@SPAMshadus.org> on Thursday September 01, 2005 @04:34PM (#13458646) Homepage Journal
        Sgt.Smith: "Damnit Jones, firefox. Another criminal goes free."
        Lt.Jones: "You you know Smith, I sometimes wonder if we just were competant with computers if we could well, you know, understand basic computer forensics instead of relying on software to do it for us?"
        Sgt.Smith: "Shutup Jones, theres a way we do things here, it's the microsoft way, all other ways are abhorant and methods of the terrorists."
        Lt.Jones: "Good call Smith!"

        *sigh* It's only sad because it could be true. Police forces need to hire security professionals and train them to be computer forensics. Not hire police officers and rely on them to learn the ins and outs of computer security.
    • by MyLongNickName ( 822545 ) on Thursday September 01, 2005 @03:40PM (#13458027) Journal
      Is is dumb, but not for the reason you suggest. It is dumb because software isn't to be designed with 'criminal investigator usability' as a design consideration.

      Simple as that.
      • by Total_Wimp ( 564548 ) on Thursday September 01, 2005 @04:38PM (#13458689)
        It is dumb because software isn't to be designed with 'criminal investigator usability' as a design consideration.

        But I wish more software was designed with leaving a small or non-existant trail as a design consideration.

        When I speak on the phone, none of it get's recorded unless someone makes a special effort to do so. I would hope my computing experience could be the same.

        And I really hate the idea that a bunch of you people are thinking I'm some kind of major criminal for wanting it that way. If you happen to be one of the ones that think I should be happy to have everything logged, then please set up a web cam in your bedroom and tape everything that happens. After all, there really isn't any chance of it falling into the wrong hands and law enforcement might need to check those tapes to make sure you're not snorting coke in there. Cops are good people and none of them will laugh about what you're doing witht that banana. I promise.

        TW
        • Most do. However, we also want the convenience of auto-fill in fields, URLs that kinda figure out where we want to go based on prior activity. You cannot have those conveniences without making it possible for someone to use it against you. You can make it HARD, but not impossible.

    • More frightenly, IMHO -- why does *ANY* browser leave this stuff unencrypted on a hard drive anyway.

      That's just begging for a virus/trojan that might infect a PC to steal confidential data.

    • I would say this says something about the level of education and intellegance of authorities. They aren't very educated and smart. If the techie authorities can't handle browser differences how are they supposed to find info on computers are trying to hide.

      If I were the authorities I would be insulted by this article and it implying they aren't smart.
    • by baryon351 ( 626717 ) on Thursday September 01, 2005 @03:44PM (#13458094)
      It's the silliest thing I've read about non-IE browsers, and how they're BAD since I read this one. [danaquarium.com]
    • by KiloByte ( 825081 ) on Thursday September 01, 2005 @03:45PM (#13458097)
      Actually, FireFox Deer Park (pre-1.1) which I am using right now has a right-in-your-face menu item to remove this kind of data. Those bad evil criminals don't even have to dig through the options to purge the evidence for their wrongdoings. Clearly, this browser must be a work of the devil and should be banned.
    • by BJZQ8 ( 644168 ) on Thursday September 01, 2005 @03:48PM (#13458141) Homepage Journal
      This is NOT a joke. I have dealt with some state police "computer forensics" people that were little more than a rookie cop with a "Computer Forensics for Dummies" book under their arm. It was THAT bad. They used undelete utilities and such to get a file off of a ZIP disk. Wowee. They are given virtually unlimited budgets and permission to buy practically any computer item, all in the name of security...but you can't change the fact that they are LEJA majors, not CS majors.
      • I don't doubt it.

        This being said.....

        If we are to value the market economy, we can't let the incompetence of law enforcement be used as an excuse to bully us into using a product released by a convicted monopolist.....
      • While this is true, the computers they can't deal with get sent out to private companies, who _are_ good. Either way they get the data - just the cheap or expensive way.
      • by commodoresloat ( 172735 ) on Thursday September 01, 2005 @04:04PM (#13458324)
        Seriously, what do you propose? Educate them? This is national security that is potentially at stake here, people. We cannot simply turn to the logical solution. There's only one way to deal with this problem and that is to nip it in the bud. All non-IE browsers should be outlawed forthwith and anyone caught using them should be sent to Guantanamo for interrogation.
      • by Lumpy ( 12016 ) on Thursday September 01, 2005 @04:32PM (#13458630) Homepage
        I also agree with this.

        we hired an Ex FBI computer forensics expert, he "retired" 3 years ago at the age of 37. the man knows absolutely nothing about computer forensics. I started talking to him during lunch to ask him how he would recover evidence from a company PC that a user was using to surf kiddie porn with.

        He said you grab the IE history folder and temp internet folder.

        I asked so what do you do when that user uses the option to empty the contents of that folder or uses XP power tools to set it to empty it on a regular basis. or installed one of those "hide your tracks" programs you get spams about every other week?

        He responded that highly skilled hackers like that are not common in the business world and then he would have to send the drive in for electron microscope examination.

        The man shit his pants when the situation finally came around that he was unable to retrieve evidence from a ex employee's laptop. I gave them a printout of cookies to all the websites the guy visited and a detailed record of his ill-gotten web useage for the last week he was here. I used my leet haxor skillz and unleased a secret tool called proxy server logs as well in my 20 minutes. He took 7 days to retrieve nothing.

        and at that time I was a lowly know-nothing IT guy.

        moral of the story? if you have 1/2 a brain it is really easy to elude the police in "computer crime" and hide all your evidence easily. the only thing going for the police is that the typical criminal is working with 1/16th of a brain.

      • by major.morgan ( 696734 ) on Thursday September 01, 2005 @04:58PM (#13458872) Homepage
        I teach both networking and computer security. In my classes I have had personal experience with "Computer Crime Investigators". Most of them are officers who have gone to $20-50,000 (not exaggerating) worth of training in a few weeks that they don't understand, got a few "law enforcement only" utilities (Knoppix has better tools) that they can run. They are no better at understanding technology than your average office user. If they can't click a button in their tools and have all of the evidence discovered, analyzed and spit out in a non-technical report - they generally won't get much. Add a sprinkle of encryption and they are baffled. There are those who are quite skilled, but as with most things - they are few and far between.

        For example: I have a friend who works in IT for a law enforcement agency. He constantly gets calls from their computer forensics specialist asking for help on why his station won't boot. Usually it's because he overwrote his boot sector while ananyzing a drive (I don't understand either).

        Unfortunately the prevailing opinion is that teaching a street cop technology is easier than teaching a tech the intracate details of law enforcement. The higher ups don't realize that any IT persons job is basically an daily investigation. I think the answer is to pair up the two, but again, none of these agencies has asked me.
    • by drgonzo59 ( 747139 ) on Thursday September 01, 2005 @03:50PM (#13458161)
      If the police has problems looking through the firefox files, I think I'll remove all the IE browsers from my lab and install Firefox or Opera.

      In other words, they seem to be slamming Firefox, but actually it is pretty good advertisement for Firefox. They should put on their front page.

      "Even the brightest police investigators can't look at your browser history! Get Firefox today, the most secure browser."

    • by beacher ( 82033 ) on Thursday September 01, 2005 @03:52PM (#13458182) Homepage
      Here's the best part - "One specific challenge with Firefox and Opera is identifying which Web addresses have been entered manually as opposed to having been clicked on in a hyperlink"..

      Cmon.. any advanced porn^H^H^H^H surfer knows to go to google, enter the url and click through google's url. That way you don't have a suspicious empty dropdown bar and you can simply delete the url and google's search url) from the history and for all intents and purposes, you never went there (just dump the cache).

      I guess these guys were never married. Simply having an attentive wife teaches you that FED defeating trick. The location dropdown bar and autocomplete can be a lot of trouble.

      Heh
    • I basically agree, though I think you didn't word the criticism directly enough. The deeper point revealed by the "serious" publication of this kind of tripe is that America is moving to a police state where the convenience of the police is a primary consideration over the freedoms and rights of the citizens. Since they (the political monopolists, not the police) want to monitor everything and everyone in search of their political enemies, then of course they want to maximize the convenience of the process
    • God help these 'professionals' if a suspect's computer happens to run Linux

      I remember reading a while back that when the FBI seizes a macintosh computer they ship it to the Canadian Mounties for data recovery because the FBI does not know how to recover data from macintosh computers. I don't know if that is true, but I would not be surprised.

    • I find it hard to place much credence in that article.

      One of my students is an Indiana State Trooper undergoing computer forensics training. Since he's enthusiastic about his classes, I get to hear about what he's being taught at all his Homeland Security-sponsored courses.

      And it turns out that he's learning some pretty complex things, at least as far as examining the contents of hard drives. He has programs that can analyze Windows or *nix systems with a good level of accuracy. He talks about looking at pa
  • Dear god no! (Score:5, Insightful)

    by Rei ( 128717 ) on Thursday September 01, 2005 @03:39PM (#13458001) Homepage
    Heaven forbid that they have to learn to deal with a different file layout. I mean, it's not like these are supposed to be skilled professionals practicing their trade here...
  • Browser concerns (Score:3, Interesting)

    by bigwavejas ( 678602 ) * on Thursday September 01, 2005 @03:39PM (#13458007) Journal
    It seems to me this is the least of their problems. Finding the potential wrongdoer is much more difficult than actually locating data on their computer. With anonymous surfing methods Tor [eff.org] and drive encryption technologies TrueCrypt [truecrypt.org] I would almost consider an unencrypted/ unsecure system a "non-issue."

    /search/*.jpg, *.html, *.gif, *.etc...

    Firefox and Opera may use a different method of file structure/ naming, but they *do* have a fundamental process and that process does not vary from system to system.

  • by 1zenerdiode ( 777004 ) on Thursday September 01, 2005 @03:40PM (#13458009)
    ...the terrorists have already won.
    • by kfg ( 145172 ) on Thursday September 01, 2005 @04:09PM (#13458400)
      I'm afraid I do worse than that. I encrypt all of my text files with something called "Pig Latin."

      The poor bastards in law enforcement are powerless against it, and I am evil, evil, evil for not living my life with an eye toward making it pathetically easy for any traffic cop to fully investigate me for anything, as any good PATRIOT should.

      Muuuuuuuhahahahaha!

      KFG
  • by Anonymous Coward on Thursday September 01, 2005 @03:40PM (#13458011)
    In other news, bad guys hide in secret hideouts, which makes it hard for the Police to do their job.
  • TOR (Score:4, Funny)

    by IAR80 ( 598046 ) on Thursday September 01, 2005 @03:40PM (#13458012) Homepage
    Damn I have deployed TOR for nothing. Installing Firefox was enough.
  • by Kelson ( 129150 ) * on Thursday September 01, 2005 @03:40PM (#13458016) Homepage Journal
    It sounds like a lot of the people doing this kind of investgation aren't actually computer experts, but using pre-packaged software or following a list of directions someone has tailored for IE.

    Effectively, they're professional script kiddies working for the common good instead of against it.

    The lesson? Training. You wouldn't put a detective in the morgue and hand him a scalpel, and you wouldn't drop him in a science lab. You'd hire a coroner, you'd hire someone trained in forensic science. If you're going to search someone's computer for evidence, hire an expert or train someone to become an expert.
    • by infonography ( 566403 ) on Thursday September 01, 2005 @04:05PM (#13458345) Homepage
      Windows is already investigation friendly, it stores it's history in system dependant files throught the file system. If some whinner at HS is having issues about other browsers it's likely that in this administraton there is somebody paying somebody to do the whinning (i.e. M$). If somebody want's to mandate a browser then they can kiss my pucker.

      Nobody should ever make it easy for script kiddies (especially because they have a Chicken Inspector Badge).

  • Profit! (Score:3, Funny)

    by pwnage ( 856708 ) on Thursday September 01, 2005 @03:40PM (#13458017)
    I have decided to submit a patent for this. "A Method of Obfuscation of Law Enforcement Data through the use of Better Internet Browsing Software."

    Help me out, /.!!!

    1. Submit patent.
    2. ???
    3. Profit!

  • by N3wsByt3 ( 758224 ) on Thursday September 01, 2005 @03:40PM (#13458023) Journal
    Now I understand why the police or 'special' agencies can't find their terrorists: they rely on MS in general, and IE in particular! ;-)

  • Um, Duh? (Score:5, Interesting)

    by NorbMan ( 829255 ) * on Thursday September 01, 2005 @03:40PM (#13458024) Journal
    From TFA:
    Firefox and Opera store information on typed URLs in a different file than IE does, and the files are somewhat tough to decipher

    You would think since Firefox is open-source, it would be a trivial matter to determine the format of the cache files by examining the source code.

    • Re:Um, Duh? (Score:3, Insightful)

      by Kelson ( 129150 ) *
      Quick question: is the average detective familiar with C or C++?

      No?

      What good is the source code going to do him?
      • Re:Um, Duh? (Score:3, Insightful)

        None...but if they divert some of the money they spend on, say, hiring Psychics(tm) hiring a programmer (or for that matter just "someone skilled with computers") THAT person may be helped by it, and can certainly develop some simple "how to find where Firefox puts stuff" training for them.

        • Re:Um, Duh? (Score:3, Insightful)

          by Coryoth ( 254751 )
          hiring a programmer (or for that matter just "someone skilled with computers") that person may be helped by it, and can certainly develop some simple "how to find where Firefox puts stuff" training for them.

          If they can hire a programmer who has a clue then just get him to write a script for Encase that automatically searches out and displays Firefox, Opera, Safari, and other browser caches and logs. It would not be very hard at all. Distribute said script to all the police departments, and have the forensic
  • I laughed (Score:5, Funny)

    by Approaching.sanity ( 889047 ) on Thursday September 01, 2005 @03:40PM (#13458026) Homepage
    And then I realized that they were serious.

    Now I weep for them.
  • by Brandon K ( 888791 ) on Thursday September 01, 2005 @03:42PM (#13458047)
    So with a few low-res pictures of some metal objects in Iraq we can determine they have biological weapons... but the 'trained professionals' working for the police can't figure out how to find Firefox's internet logs?
  • by JackTripper ( 798804 ) on Thursday September 01, 2005 @03:42PM (#13458049)
    ...Firefox... on Linux! "Find what they've been browsing? Hell, we can't even find C: !"
  • by amcdiarmid ( 856796 ) <amcdiarmNO@SPAMgmail.com> on Thursday September 01, 2005 @03:43PM (#13458065) Journal
    Let me see now (Jon Stuart grin), the police haven't learned how "alternative" browsers store data. Users of these "alternative" browsers even have been known to "flush" their data caches. This , um, "flushing" is a suspicious behavior - AND these "alternative" browsers are resistant to spyware that we normally use to "spy" on our "citizens."

    I say, if these "citizens" don't want to be "spied" on, they are SUSPICIOUS! SEND THEM TO GUANTANAMO!

    Meanwhile, in Soviet Russa...
  • In a word: (Score:3, Interesting)

    by commo1 ( 709770 ) on Thursday September 01, 2005 @03:43PM (#13458068)
    Good.

    That's one of the reasons I use Firefox, Thunderbird, Sunbird, etc...

    Security by obscurity is not essentially valid, but it can be useful.

    The government can't force people to organize their thoughts or ideas written down on legal pads with sworn oaths as to dates & times, why should ANY information be handed to them. I run may trace eliminators, for this purpose. I encrypt my file system. If this is going to slow them down or prevent them from gathering evidence, it's done it's job. Just another reason not to buy into the Microsoft way. (I'm not being facetious, it's true: Microsoft has an agenda to be on the side of the law, they HAVE to be lobbying quietly to get stuff like this out and laws passed to enforce it.)
  • by crimguy ( 563504 ) on Thursday September 01, 2005 @03:44PM (#13458088) Homepage
    As a criminal defense attorney specializing in computer crimes, I can say authoritatively that the investigators are typically poorly trained. Most that I have dealt with are not IT or CS degree holders. In fact, the norm is for it to be a police officer who has taken a 2 week course in Encase, nothing more. Their knowledge of operating systems is lacking to say the least. Of course, this can result in some poor schmuck being convicted for something he didn't do, both because the cops don't know any better, and the juries - who typically take the word of the police as gospel down here in Arizona, know even less and rely on the uninformed testimony of law enforcement.
    • I don't know how gullible juries are in Arizona, but seriously, can't you exploit this?

      "Officer MacGruff, are you an expert in computer forensics? Can you summarize your education? Can you describe your methodology?"

      This reminds me of the whole speed camera thing in AU, where they lost a major court case because, given 8 weeks, they couldn't find an expert willing to testify on the relability of hashes as MACs. Not because the testimony wasn't believed, mind, but that they didn't have any.

    • investigators are typically poorly trained
      Specifically, poorly trained in tech matters. (one would hope, not poorly trained in investigation/law enforcement and the kind of stuff that should be their "core competancies")
      I work for a phone company, and often work with various police agencies' "special investigation" units. The officers that I deal with are usually 6-8 year veterans, and have been rotated into SI for a 3-4 year stint. When they have to deal with the interface hardware that they have at ou
  • by Anonymous Coward on Thursday September 01, 2005 @03:44PM (#13458089)
    http://www.theregister.co.uk/2004/01/28/a_visit_fr om_the_fbi/ [theregister.co.uk]

    A visit from the FBI
    By Scott Granneman, SecurityFocus
    Published Wednesday 28th January 2004 13:05 GMT

              [snip]

    I teach technology classes at Washington University in St. Louis, a fact that I mentioned in a column from 22 October 2003 titled, "Joe Average User Is In Trouble [securityfocus.com]". In that column, I talked about the fact that most ordinary computer users have no idea about what security means. They don't practice secure computing because they don't understand what that means. After that column came out, I received a lot of email. One of those emails was from Dave Thomas, former chief of computer intrusion investigations at FBI headquarters, and current Assistant Special Agent in Charge of the St. Louis Division of the FBI.

    Dave had this to say: "I have spent a considerable amount in the computer underground and have seen many ways in which clever individuals trick unsuspecting users. I don't think most people have a clue just how bad things are." He then offered to come speak to my students about his experiences.

    I did what I think most people would do: I emailed Dave back immediately and we set up a date for his visit to my class.

    It's not every day that I have an FBI agent who's also a computer security expert come speak to my class, so I invited other students and friends to come hear him speak. On the night of Dave's talk, we had a nice cross-section of students, friends, and associates in the desks of my room, several of them "computer people," most not.

    Dave arrived and set his laptop up, an IBM ThinkPad A31. He didn't connect to the Internet - too dangerous, and against regulations, if I recall - but instead ran his presentation software using movies and videos where others would have actually gone online to demonstrate their points. While he was getting everything ready, I took a look at the first FBI agent I could remember meeting in person.

              [snip]

    Dave had some surprises up his sleeve as well. You'll remember that I said he was using a ThinkPad (running Windows!). I asked him about that, and he told us that many of the computer security folks back at FBI HQ use Macs running OS X, since those machines can do just about anything: run software for Mac, Unix, or Windows, using either a GUI or the command line. And they're secure out of the box. In the field, however, they don't have as much money to spend, so they have to stretch their dollars by buying WinTel-based hardware. Are you listening, Apple? The FBI wants to buy your stuff. Talk to them!

    Dave also had a great quotation for us: "If you're a bad guy and you want to frustrate law enforcement, use a Mac." Basically, police and government agencies know what to do with seized Windows machines. They can recover whatever information they want, with tools that they've used countless times. The same holds true, but to a lesser degree, for Unix-based machines. But Macs evidently stymie most law enforcement personnel. They just don't know how to recover data on them. So what do they do? By and large, law enforcement personnel in American end up sending impounded Macs needing data recovery to the acknowledged North American Mac experts: the Royal Canadian Mounted Police. Evidently the Mounties have built up a knowledge and technique for Mac forensics that is second to none.

              [snip]
  • by code65536 ( 302481 ) on Thursday September 01, 2005 @03:46PM (#13458120) Homepage Journal
    This is going to be moot if the law enforcement is dealing with people who are serious about what they're doing. I'm sure that if someone is planning an elaborate high-profile attack, they would have the sense to be careful as well, so it won't matter if you use IE or if you use Firefox or if you use Lynx--it's not that hard to wipe out all traces of activity from your computer no matter what browser you use. So I doubt that this is going to be of any help in dealing with smart criminals.

    And if the law enforcement can't figure out how to write a simple tool to decipher the files that are left behind from alternative browsers (especially one like Firefox that is open-source, meaning that the format of such files would be easy to determine), then that's just, well, pathetic.

    And finally, I think that this is a good thing. Most people in this world will probably never ever have to deal with law enforcement. But they do have to deal with snooping parents, snooping friends, snooping girlfriends, snooping spouses, snooping bosses, etc., so I welcome this as good news. ;)
  • by JavaRob ( 28971 ) on Thursday September 01, 2005 @03:51PM (#13458171) Homepage Journal
    Somehow we just never realized this... we should also encourage businesses to only use ONE accounting method, so that embezzlement investigations can be simpler. There should only be a single gun manufacturer, with only one kind of gun available... imagine how much simpler investigations would be? "Well, we already know it was a Glock 32 handgun...".

    What are people thinking, that businesses and products might exist to serve the needs of the people paying for and using them? What nonsense! Only law enforcement matters!

    Seriously, even if this were a serious question, don't investigators get MORE useful data in the variations of people's setup? The more unique your suspect's setup, the easier it may be to track them.

    And of course it's perfectly simple to find the Firefox cache -- can someone just drop them an email? They can print it out, tack it to the wall, and quit with the whinging.
  • by microcars ( 708223 ) on Thursday September 01, 2005 @03:57PM (#13458247) Homepage
    Terrorists and Mafia switch to Macs

    Police, baffled by the lack of a blue "e" can't figure out how they used the Internet.

    "And there's no START button! How are we supposed to find anything?"

  • by drrobin_ ( 131741 ) on Thursday September 01, 2005 @03:58PM (#13458265)
    I question the trust that slashdotters seem to have in this new story. Why should we believe it?

    The general police forces have managed to get a new story published on how they can not deal with any sort of semi-modern technology. Why should we believe it?

    If I were the police, and I'm sure the police have at least one or two people smarter than me. then I would go to great lengths to get this story published. Why? Not because I can't figure out Firfox, be because I -can- figure out Firefox.

    If my suspect thinks that I am too dumb to understand Firfox, then my suspect is far less likely to use powerful encryption. Without the powerful encruption, I -can- read Firefoxes files, and a significant proportion of criminals will think they are safe when they are not.

    Hell, I'm not even law enforcement but I still find it obvious how this story is a great advantage for the law enforcement community.
  • by tritone ( 189506 ) on Thursday September 01, 2005 @04:05PM (#13458339) Homepage
    From Apple's website:

    "Using Safari's new Private Browsing feature, no information about where you visit on the Web, personal information you enter or pages you visit are saved or cached. It's as if you were never there."
  • My Response (Score:4, Insightful)

    by Goo.cc ( 687626 ) * on Thursday September 01, 2005 @05:24PM (#13459099)
    Boo Hoo!
  • by DynaSoar ( 714234 ) * on Thursday September 01, 2005 @06:05PM (#13459368) Journal
    ""Allegations in an article over at CNET propose that alternate browsers such as Firefox and Opera impede law enforcement and investigation efforts because they "use different structures, files and naming conventions for the data that investigators are after", which can "cause trouble for examiners.""

    Allegations in an article over at Police Magazine propose that alternate vehicles such as motorcycles and buses impede bank robbery law enforcement and investigation efforts because they "use different shapes, different numbers of seats, and different logos for the manufacturers that investigators are after", which can "cause trouble for get-away car examiners".

    Obviously, only Dodge Chargers, like the "General Lee" should be allowed to criminals, to make them easier to catch.
  • A theory... (Score:3, Interesting)

    by Jodka ( 520060 ) on Thursday September 01, 2005 @06:18PM (#13459455)

    After looking over the site [htcia.org], I suspect that "The High Technology Crime Investigation Association (HTCIA)" is a front; it is really a for-profit money-making venture, not a legitimate professional association, as it presents itself. For a genuine professional association, they make too strong an effort to convince us that's what they are. It would work like this: A few guys collect the attendance and membership fees, keeping a big profit for themselves. The fees are paid by governments. The conference attendees, mostly law enforcement officials, receive some stupid advice. Masquerading as a professional organization instead of a for-profit business creates good will, helping them to fleece taxpayers.

    The content of the training seminars is especially suspicious. Really, how easy is it to uncover the "secret" history files of "alternative" web browsers? I timed myself, and it took me about 90 seconds using Google to work out some good keywords and find the answer. See the first link [holgermetzger.de] in my google search [google.com].

    Something else suspicious about this professional training: Because the source code for Firefox is available for free to the public, which is not the case with Internet Explorer, it should be easier, not more difficult, to uncover where and how Firefox logs history.

  • by bergeron76 ( 176351 ) * on Thursday September 01, 2005 @07:35PM (#13459969) Homepage
    Firefox is OPEN SOURCE! That means the file formats are OPEN. Microsoft IE is CLOSED SOURCE, meaning you need to reverse engineer everything to figure out where stuff lives.

    That said, I wonder what would prevent someone from creating a wireless fileserver and embedding it behind their drywall. Using an NFSmount or Share, an evildoer's PC wouldn't hold anything evil when the FED's nabbed it.

    Realistically I bet it would though - They can do some pretty amazing things with Forensics these days, and I wouldn't be surprised if they could take a ram chip and see previous states of 0's and 1's.

  • evil! (Score:4, Interesting)

    by cahiha ( 873942 ) on Thursday September 01, 2005 @07:40PM (#13460000)
    Even worse, those non-IE browsers make it really hard for police to install spyware and keylogging software on the user's computer. With IE, they just insert a little bit of code into any web page and they are done, but Opera and Firefox put up obstacles to that kind of legitimate law enforcement activity! Evil! Terrorism!

Single tasking: Just Say No.

Working...