Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Hackers Counter Microsoft COFEE With Some DECAF

kdawson posted more than 4 years ago | from the please-mister-moto dept.

Microsoft 154

An anonymous reader writes "Two developers have created 'Detect and Eliminate Computer Assisted Forensics' (DECAF). The tool tries to stop Microsoft's Computer Online Forensic Evidence Extractor (COFEE), which helps law enforcement officials grab data from password-protected or encrypted sources. After COFEE was leaked to the Web, Microsoft issued takedown notices to sites hosting the software." The article notes that DECAF is not open source, so you aren't really going to know for sure what it will do to your computer.

cancel ×

154 comments

Sorry! There are no comments related to the filter you selected.

first post? (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#30453684)

fp

DECAF: A welcoming news (2, Insightful)

ub3r n3u7r4l1st (1388939) | more than 4 years ago | (#30453732)

Less innocent people will be going to jail. Less family will be broke up.

The time has come to rise against the machine.

Re:DECAF: A welcoming news (5, Funny)

skine (1524819) | more than 4 years ago | (#30453868)

I prefer to RAGE against the machine.

BAH-duh BAH BAH-duh BAH DAH-duh.

Re:DECAF: A welcoming news (5, Funny)

Anonymous Coward | more than 4 years ago | (#30454064)

Coding in the name of!

Re:DECAF: A welcoming news (5, Funny)

Anonymous Coward | more than 4 years ago | (#30454572)

Fuck you, I won't code what you tell me!

Re:DECAF: A welcoming news (5, Funny)

Per Wigren (5315) | more than 4 years ago | (#30455030)

Some of those who share sources
are the same that hate bosses

Re:DECAF: A welcoming news (2)

L4t3r4lu5 (1216702) | more than 4 years ago | (#30455140)

Rage Against The Machine - "Killing In The Name" for UK Christmas No.1! [telegraph.co.uk]

From the Facebook group: "Fed up of Simon Cowell's latest karaoke act being Christmas No. 1? Me too ... So who's up for a mass-purchase of the track 'KILLING IN THE NAME' from December 13th ... as a protest to the X Factor monotony?"

I've bought it from iTunes, Amazon, and re-bought the album in my local HMV. Get it done, people.

Re:DECAF: A welcoming news (0)

Anonymous Coward | more than 4 years ago | (#30455210)

So to protest the music industry, you want to give loads of cash to record labels? Fuck, man, you're a regular Che.

Re:DECAF: A welcoming news (0)

Anonymous Coward | more than 4 years ago | (#30455212)

Buying the album won't affect the Xmas number one singles charts...
 
And if you're doing it to 'make a statement against the record labels' just realise that Rage are signed to Epic, who are a subsidiary of Sony, one of the 'Big Four'.

Re:DECAF: A welcoming news (0)

Anonymous Coward | more than 4 years ago | (#30455320)

And guess what?? Simon Cowell is one of the main men in Sony Records...

Re:DECAF: A welcoming news (1)

L4t3r4lu5 (1216702) | more than 4 years ago | (#30455368)

I don't care whether Simon Cowell gets richer or not. I care that there is enough power held with the people to change history.

You might think it's small fry changing the outcome of the Christmas charts, but what if the next Facebook group is "Labour are shafting our rights. Let's get them out!"

Township called Rebellion indeed.

Re:DECAF: A welcoming news (1)

cyber-vandal (148830) | more than 4 years ago | (#30455282)

I've bought 3 copies and am looking forward to not having a karaoke number 1.

Re:DECAF: A welcoming news (2, Insightful)

camg188 (932324) | more than 4 years ago | (#30456418)

Why do you care about popularity ratings? Just listen to what you like. End of problem.

Re:DECAF: A welcoming news (1)

L4t3r4lu5 (1216702) | more than 4 years ago | (#30456728)

It's not about populatiry, it's about proving that the public en masse can change anything they want.

I'm waiting for the "National ID card is a bad idea. Let's get it abandoned" group. Also called the "Vote for anyone but Labour" group.

Re:DECAF: A welcoming news (1)

dunkelfalke (91624) | more than 4 years ago | (#30455200)

Welcome, my son, welcome to the machine.

Re:DECAF: A welcoming news (2, Insightful)

Wrath0fb0b (302444) | more than 4 years ago | (#30454888)

Less innocent people will be going to jail. Less family will be broke up. [sic]

Any particular reason to think innocent people are more likely to use DECAF than the guilty? I fail to see why technical savvy should be correlated with innocence or guilt.

Re:DECAF: A welcoming news (0)

Anonymous Coward | more than 4 years ago | (#30455596)

Less innocent people will be going to jail. Less family will be broke up. [sic]

Any particular reason to think innocent people are more likely to use DECAF than the guilty? I fail to see why technical savvy should be correlated with innocence or guilt.

Insightful?! Mods are a little sleepy today?

Note that the GP didn't say it will put disproportionally less innocent people - only that there will be less innocent people.

In any case, you are wrong - there is a small disproportionality - guilty people leave other traces as well - innocent people's sole incrimination might be what's on their hard disk ;)

Re:DECAF: A welcoming news (2, Informative)

Rysc (136391) | more than 4 years ago | (#30456156)

Note that the GP didn't say it will put disproportionally fewer innocent people - only that there will be fewer innocent people.

Fixed it for you. You and the OP made the same mistake. It's like nails on a chalk board, honestly!

You can have fewer innocent people or you can have less innocent people, but it means different things. Less innocent people are not as innocent, fewer innocent people are of a smaller number.

Perfect trojan horse (5, Insightful)

Anonymous Coward | more than 4 years ago | (#30453734)

DECAF is not open source, so you aren't really going to know for sure what it will do to your computer.

Haha, that'd be the perfect trojan horse. Have people with (illicit) things to hide run a program that claims to prevent them from being caught, all the while this program is just reporting them. And even if they post code, they could just post any old source code and claim it was used to generate the executable.

Re:Perfect trojan horse (1)

Cryacin (657549) | more than 4 years ago | (#30453804)

Who says Microsoft didn't get a "contractor" to write this and release it in the wild? NT phone home!

Re:Perfect trojan horse (1)

angelwolf71885 (1181671) | more than 4 years ago | (#30453940)

*glowing finger points at DECAF* friend friend

Re:Perfect trojan horse (4, Insightful)

Ihmhi (1206036) | more than 4 years ago | (#30453908)

And even if they post code, they could just post any old source code and claim it was used to generate the executable.

Well yeah, until someone who has an I.Q. greater than a water buffalo compiles the source code and finds out that it doesn't match up with the finished DECAF product...

That's the point of having source code out there in the first place. It can be inspected for everything from your everyday uh-ohs to your big time no-nos.

Re:Perfect trojan horse (2, Insightful)

Anonymous Coward | more than 4 years ago | (#30454234)

And then some one with a little higher I.Q. takes the time to do something fun like disassemble the executable or hell, use wireshark to capture any network traffic the program might generate to see what it is actually doing.

Re:Perfect trojan horse (0)

Anonymous Coward | more than 4 years ago | (#30455090)

"until someone who has an I.Q. greater than a water buffalo"
I won't have you besmirch the intelligence of bovine creatures with an affinity for bathing by likening to people who need to use software to defeat MS malware. Even such creatures know that if you want to do anything that the authorities or corporate oligarchy would disapprove of then you should be using Linux or better yet, OpenBSD. Please refrain from smearing the good name of our semi-aquatic hoofed friends.

Re:Perfect trojan horse (1)

calmofthestorm (1344385) | more than 4 years ago | (#30453988)

If this is true then the NSA got a lot lazier, a lot more efficient, and a lot more effective. The Soviets pioneered denouncing your neighbors but this is one better.

Re:Perfect trojan horse (0)

Anonymous Coward | more than 4 years ago | (#30455870)

If this is true then the NSA got a lot lazier, a lot more efficient, and a lot more effective. In the XX century, the nazis pioneered denouncing your neighbors but this is one better.
Fixed that for you.

Re:Perfect trojan horse (1, Interesting)

Anonymous Coward | more than 4 years ago | (#30454552)

"they could just post any old source code and claim it was used to generate the executable." ... which is why you read the code, and if you approve of the code, compile it yourself. If your C.S. skills aren't up to that level, then check with someone you trust as competent to do that code analysis/compilation.

It's essentially the same with every program.

But yeah, this looks like an exploit opportunity, and I won't run DECAF on any of my boxes (uh, wait... do I *have* any Windows boxes? Oh, yeah, my gaming box!) without first carefully isolating the code and analyzing what it does.

Re:Perfect trojan horse (1)

Stoian Ivanov (818158) | more than 4 years ago | (#30454816)

This is the beauty of Open Source - you can build your own binaries when paranoid :)

no source? it's a trap! (3, Interesting)

FunkyRider (1128099) | more than 4 years ago | (#30453736)

Maybe DECAF is a double agent blocking COFEE and collecting it's own things in the inventor's in interest. It's a trap!

Re:no source? it's a trap! (1)

Yvan256 (722131) | more than 4 years ago | (#30454020)

No, that's XPRESO.

Re:no source? it's a trap! (2, Funny)

ozmanjusri (601766) | more than 4 years ago | (#30454646)

Slow down, stop blowin' the froth and chill a little.

That's right, it's a frappe!

Microsue (3, Funny)

GuNgA-DiN (17556) | more than 4 years ago | (#30453746)

Oh Microsoft.... is there *anything* that can't be handled by a lawsuit?

The Site... (5, Informative)

JBG667 (690404) | more than 4 years ago | (#30453750)

Re:The Site... (1, Funny)

Anonymous Coward | more than 4 years ago | (#30454084)

What's next?

Decaf2000?
DecafXP?
DecafVista?
Decaf7?

Re:The Site... (1)

Yetihehe (971185) | more than 4 years ago | (#30454754)

KDE Mokka.

Re:The Site... (0)

Anonymous Coward | more than 4 years ago | (#30454808)

Shouldn't that be Koffee. To Komplement Koffice?

So let me get this straight... (5, Insightful)

publiclurker (952615) | more than 4 years ago | (#30453752)

I have incriminating information on my computer so I'm supposed to download and run some closed-source software from people who now know I have this information, and it will make my problems go away. Right.....

Re:So let me get this straight... (3, Informative)

Bios_Hakr (68586) | more than 4 years ago | (#30453842)

So, set up a VM and then port it through WireShark. It shouldn't be too hard to figure out if it's communicating with some central server.

Re:So let me get this straight... (1)

shird (566377) | more than 4 years ago | (#30453998)

Communicating to some central server when you run it at least. If it stores the data and sends it on a different date you wouldn't know too easily.

Besides, it may be doing something other than sending off your data.. e.g encrypting it and ransoming you for the key to decrypt it.

Re:So let me get this straight... (1)

Syberghost (10557) | more than 4 years ago | (#30454086)

Yeah, because it's not possible for programs to detect they're running in a VM...

Re:So let me get this straight... (0)

Anonymous Coward | more than 4 years ago | (#30454696)

Okay then - run it on a normal machine and run Wireshark on its router.

Re:So let me get this straight... (2, Interesting)

GameboyRMH (1153867) | more than 4 years ago | (#30456438)

What if someone actually wanted to secure a VM with this app?

I assume a program could detect if it's running in a VM by checking hardware and matching it with known VM configurations?

But anyone who's really serious about security shouldn't be running Windows anyways, even with full-disk encryption. What I'm interested in is seeing how COFEE presumably executes with admin privileges on a locked Windows PC with no user input - the technique could be used to make a "super switchblade [hak5.org] ," especially if it can run on Vista/7 which aren't as vulnerable to these attacks. I'd imagine COFEE uses some secret backdoor.

Re:So let me get this straight... (0)

Anonymous Coward | more than 4 years ago | (#30453880)

You shouldn't be running closed source software on computers you keep private information.

Re:So let me get this straight... (5, Funny)

Anonymous Coward | more than 4 years ago | (#30453918)

Linux: optimized for child porn!

Re:So let me get this straight... (2)

sheph (955019) | more than 4 years ago | (#30453992)

Sorry I'm lost. How did you come to that astute conclusion?

Re:So let me get this straight... (1)

Slashdot Suxxors (1207082) | more than 4 years ago | (#30454398)

The parent made a joke in reference to the GP's post. It's a joke! God damn, just laugh! It was funny!

Re:So let me get this straight... (1)

MrNaz (730548) | more than 4 years ago | (#30455098)

How did you come to that astute conclusion?

Well you see it's like this. The OP made a statement that was a tad too broad and could be misconstrued if more than was intended was read into it. When you take a situation like that, then you add in the conversational construct known as "humor" then you arrive at one of those so-called "jokes". This "joke" is intended to result in a reflex reaction in the reader, consisting of successive, rapid contractions of the diaphragm, often accompanied by a facial expression resembling a smile, but more exaggerated and with a more open esophageal passage. Usually, a sound is produced as well, which is referred to colloquially as "laughter".

I hope that clears it up.

Multiple Mod Categories (0, Redundant)

TangoMargarine (1617195) | more than 4 years ago | (#30454944)

+1 Funny, -1 Troll, +1 WTF

IMO there are three kinds of funny: Funny as in joke funny, dry funny (e.g., sarcasm, dramatic irony), and "what the heck, where did that come from?" funny.

Re:Multiple Mod Categories (1)

mqduck (232646) | more than 4 years ago | (#30455188)

"what the heck, where did that come from?" funny.

Now known on the Internet as "LOL SO RANDOM".

Re:So let me get this straight... (1)

pitchpipe (708843) | more than 4 years ago | (#30454022)

pitchpipe's inverse to Anonymous Coward's conditional: You shouldn't be running open source software on computers you keep public information. Oh, wait a minute!...

Re:So let me get this straight... (1)

Gerzel (240421) | more than 4 years ago | (#30454992)

For your private information it is too late. Your info is already on closed source and quite probably badly maintained/secured computers.

Disable autorun, lock your computer (4, Informative)

OverlordQ (264228) | more than 4 years ago | (#30453770)

AFAIK, if your computer is locked COFEE relies on autorun to work, so disable autorun and lock your computer will pretty much thwart COFEE, since it would somehow require bypassing MS's supplied GINA dll, which given it's Microsoft, might know how to do, but would find it highly unlikely.

Re:Disable autorun, lock your computer (1)

shacky003 (1595307) | more than 4 years ago | (#30453964)

I seriously doubt a forensics tool created by the same developers that created what it tries to break into, is going to rely on autorun to get things started.. Even if that is the case, it's not exactly hard to obtain a password removal tool out in the wild to get rid of the "lock your computer"..(ie: linux live cd's that run scripts to kill saved winxp/vista/win7 account passwords) I've had one in particular for years that I use when someone calls me to say "how do I get into my box when I can't remember the password"

Re:Disable autorun, lock your computer (1)

phantomcircuit (938963) | more than 4 years ago | (#30454054)

COFFEE is designed to circumvent on disk encryption. To do this it gets the keys from the running system. So it is actually perfectly reasonable that they used autorun given that it runs stuff even when the screen is locked.

Re:Disable autorun, lock your computer (2, Interesting)

MaximKat (1692650) | more than 4 years ago | (#30454130)

So it is actually perfectly reasonable that they used autorun given that it runs stuff even when the screen is locked.

Yeah, it does... in Windows 95.

Re:Disable autorun, lock your computer (1)

GameboyRMH (1153867) | more than 4 years ago | (#30456546)

+1 I posted on this further up. [slashdot.org] The "Autorun with screen locked" vulnerability is ancient history, and in Vista/7, Autorun requires user input. (and then the app would need admin privileges to do anything meaningful, spawning a UAC prompt, which again requires user input, and is designed to prevent inputs from being spoofed). There must be some secret backdoor in use.

You're missing the point of COFEE (1, Interesting)

Anonymous Coward | more than 4 years ago | (#30454158)

The point of COFEE is to grab things that would be lost when the computer is shut down (passwords stored in ram, temporary files, etc) before they pull the plug and take it back to headquarters.

(Pull the plug, not just tell it to shut down, because it may have a shutdown process in place to wipe evidence.

And yes, you could use linux live CDs to remove passwords, but that involves changing what is on the disk, thereby ruining it as evidence. There are strict procedures in place to prevent the evidence from being corrupted. (ie: drive is duplicated, and then only the copy of the original drive is worked on...)

Re:You're missing the point of COFEE (1, Informative)

Anonymous Coward | more than 4 years ago | (#30454570)

I'm sure more competant forensics people don't pull the plug. Instead they would keep the machine up and running and capture it in that state, using clips to keep it fed the voltage as it gets loaded onto a vehicle and until it gets to the forensics area. There, you use a PCI or IEEE 1394 card to dump the box's RAM.

Then, the hard disk gets imaged via a hardware write blocker (very important), the decryption keys in RAM used to decrypt the image of the HDD, and the search for whatever stuff (after ACTA, any music files that don't have DRM most likely because of the guilty until proven innocent provisions) begins.

Re:You're missing the point of COFEE (1, Informative)

Anonymous Coward | more than 4 years ago | (#30456632)

You are basically right.

COFEE was not created for forensics people at all but instead for LEA guys. It was created to be used by ordinary policy officers who might encounter a suspicious PC in a live situation. It would be dramatically better if that officer used that COFFE stick on a live PC, before he pulled the plug instead of just pulling the plug and carrying the PC away without saving any volatile information.

Imaging RAM through firewire is pretty uncommon, although possible. Usually, an ordinary Linux CD/DVD is used by forensics people, toghether with "dd" and "nc" to aquire the RAM image and stream it over the network. That way you have the least impact on the life system. Firewire is really cool when you encounter a locked windows PC, forensically speaking, because that way you can copy the RAM without having to unlock the PC, but I doubt that this is actually done often, if ever.

Disclaimer: posting as AC as to not undo my moderation.

Re:Disable autorun, lock your computer (0)

Anonymous Coward | more than 4 years ago | (#30454036)

Either that, or install Linux ;)

Re:Disable autorun, lock your computer (1)

JWSmythe (446288) | more than 4 years ago | (#30454410)

    Read the instructions. It works with autorun, but if autorun is disabled you're suppose to use the file manager to browse to the USB device and execute it.

    If you really read into the COFEE instructions, you'd see it doesn't give too much up. Well, it says a lot, but not about 3rd party software. It mostly gives standard MS stuff from the registry. Decrypted login passwords, what's set to run at boot time, etc. It would be a good forensic tool for cleaning up after a break in though, which may be more of what it is intended for.

    Now, if someone were using a P2P client to download kiddie porn, or a 3rd party mail client to talk to their underage smut peddling friends, it would be worthless. COFEE is very primitive to say the least. It's a start, and I'm sure by version 7 it could be something to worry about. Well, not for me. I don't have any smut peddling friends, and I don't have anything remotely smutty.

    I suppose for the lesser educated people who would use the same password for their Windows login as their webmail account, it could be hazardous to their freedoms. I still don't like the idea of people snooping around my computer. Even though I have nothing to hide, I don't like the idea of giving up my privacy.

Re:Disable autorun, lock your computer (1)

OverlordQ (264228) | more than 4 years ago | (#30455718)

but if autorun is disabled you're suppose to use the file manager to browse to the USB device and execute it.

That is why I said lock the computer, then they can't get to the file manager.

Re:Disable autorun, lock your computer (1)

jonaskoelker (922170) | more than 4 years ago | (#30455372)

$ apt-cache search GINA dll
$

Dammit, now I can't check out COFEE :(

Not open source (1)

markdavis (642305) | more than 4 years ago | (#30453808)

>The article notes that DECAF is not open source, so you aren't really going to know for sure what it will do to your computer.

And most people running MS-Windows know for sure what THAT will do to their computers?

Does seem odd, though, that DECAF would not be open so people (in the know) would trust it and could learn from it. Oh well.

This is the best idea they've come up with yet... (4, Insightful)

robot256 (1635039) | more than 4 years ago | (#30453816)

...to distribute rootkits and create botnets. Even better than those "Free Antivirus Software" downloads.

Seriously, is anybody going to trust something like this without the source? Somebody intelligent enough not to open unsolicited email attachments, at any rate.

(And yes, I realize there might be "legitimate" reasons for keeping the source out of law enforcement's hands, but frankly [at risk of trolling] I would rather be spied on by the government than identity thieves.)

Q: does COFEE run on Linux? (0, Redundant)

alexmin (938677) | more than 4 years ago | (#30453826)

No? GOOD

Meh... (1)

Nabeel_co (1045054) | more than 4 years ago | (#30453862)

I think I'll just stick to Pepsi

LiveCD (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#30453910)

were I living in a communist country like China, i'd use a linux livecd with no attached hard drive.

Re:LiveCD (3, Funny)

ZeroExistenZ (721849) | more than 4 years ago | (#30455046)

were I living in a communist country like China, i'd use a linux livecd with no attached hard drive.

I first encrypted all my temporary data, encrypted everything in cache, it was a sweet algorithm. But I figured that wasn't enough, an onion-rings didn't help either. (I tried, I failed.)

So then I decided to use my PC without keyboard, so they couldn't log my keystrokes or via processing the audio for my keystrokes discover what I was typing. From there up, everything was a success, I could later remove my monitor so noone could see what I was doing and I could just imagine keyboardinupt on my PC.

I wasn't ever so productive and most of all SECURE.

Soon enough, I felt my mousemovements could also be secured by removing my mouse. Once I mastered this way of working, they suggested I also could work without turning on my PC, as they could measure my work by reading radiation from my CPU "if they really would be wanting to read my work", just tossing out my HD wasn't sufficient. So, right now, I'm 100% secure, sitting at my desk, imagening my work.

I did read something about mindreading, but I think that's just FUD.

Arguments (5, Insightful)

Demonantis (1340557) | more than 4 years ago | (#30453954)

I realize a large number of people won't trust it because its not opensource. I can see the authors view point though of not wanting Microsoft to turn around and make a patch against it. If you don't want it don't run it, but if it is a trojan a firewall can easily defeat that. If it is a virus word will spread and people will avoid it. It is like the Antivirus 2009 programs, other then being blatantly obvious viruses, don't work anymore because people know they are bad.

Re:Arguments (2, Insightful)

JonJ (907502) | more than 4 years ago | (#30454312)

I can see the authors view point though of not wanting Microsoft to turn around and make a patch against it.

One would think that Microsoft has little to no problems doing this without the source.

Re:Arguments (1)

henrik.falk (912694) | more than 4 years ago | (#30455708)

Microsoft already knows what they need to patch, seeing as they know what source code they leaked.

Perhaps there is more here than meets the eye. (1)

Old Flatulent 1 (1692076) | more than 4 years ago | (#30453974)

Could be that Microsoft is also really concerned about Cofee accessing protected encrypted files that would allow hackers to pirate legitimate copies of Windows if the device identity encoding within WGA is cracked! I am afraid someone might have just let the horse out of the barn through a Windows backdoor. The heads are about to roll in Redmond again!

Quit bitching (-1, Troll)

Anonymous Coward | more than 4 years ago | (#30454010)

"oh noes, it's not open source!" shut up you idiot, you're running windows. install linux and stop worrying about microsoft already.

Confused? (1, Redundant)

BountyX (1227176) | more than 4 years ago | (#30454060)

I'm a little confused, what exactly is the point of DECAF? Wouldn't encrypting your hard drive be more effective?

Re:Confused? (2, Funny)

Monkeedude1212 (1560403) | more than 4 years ago | (#30454154)

Cofee attempts to decrypt your drive.

Or... (0)

Anonymous Coward | more than 4 years ago | (#30454104)

It could be that they are intending to sell it as a product in a future release.

Just wait!!! (4, Funny)

Monkeedude1212 (1560403) | more than 4 years ago | (#30454170)

Soon I'll Release my Beta version of FRENCH VANILA

(Forensic Reducing Emulator Named Coherantly and Handsomely for Very Awesome Naughty and Illicit Activities)

Best DECAF is.... (1)

cigawoot (1242378) | more than 4 years ago | (#30454252)

Linux! ammite?

Re:Best DECAF is.... (0)

Anonymous Coward | more than 4 years ago | (#30454482)

but my linux box has Kaffeine!

Wait, what--? (3, Insightful)

girlintraining (1395911) | more than 4 years ago | (#30454304)

...so you aren't really going to know for sure what it will do to your computer.

You're saying you don't know how to run a debugger in a VM session? or registry and file monitoring utilities? I get that analyzing machine code may be a bit of a lost art, but if you have the binary file you have everything you need to figure out what it does -- eventually. Someone will reverse-engineer it. In fact, I rather expect the authors knew this when they released it.

simple tools (1)

KevMar (471257) | more than 4 years ago | (#30454514)

There is so much more COFEE should have done. It looks like it takes a look at your current running state. It grabs netwrok connections you have open, running processes, and user account names that are logged in. Things that get lost when you power a computer off. The autorun is just to make it simple for the user. I don't expect this is the only tool ran. I expect it is quick snapshot before you pull the plug.

Microsoft did take care to get the correct versions of the tools for each OS. You know how you can take some utils from XP and run on 2000 or Windows 7. This collection of tools looked like they should be able to run on any version. But for whatever reason they had a version of netstat for every Microsoft OS. My only reasoning for them to do it is for how it would stand up in the court room. It could be argued that using the XP version on the vista machine could have given invalid results because it was not ment to be ran on vista.

I have not looked at DECAF yet. But a simple root kit is all you need to defend this off. Hide running processes and network connections. Or better yet, stop breaking the law.

Re:simple tools (0)

Anonymous Coward | more than 4 years ago | (#30454606)

What if you don't realize you're breaking the law? I'm not talking about in obvious cases where there is something highly illegal going on and you are aware of it. I cannot find the story (anyone wanna help?) but I remember a story posted here a few months ago that talked about a man who clicked on this very blurry, tiny thumbnail which happened to be posted by the FBI in an attempt to flesh out pedophiles. Apparently it was a very tiny blurry thumbnail of child porn and the man arrested had no idea he was breaking the law. When do you separate innocent victims from people who are intentionally breaking the law? In the case of COFEE there is nothing to distinguish such a thing. Hell, the American legal system refuses to distinguish innocent victims from intentional predators when it comes to things like possession of child pornography. I agree with what the others have said here: I may not be doing anything illegal (at least as far as I know) but I still don't want someone going through my files. I value my privacy, and you should value yours as well.

How about.... (0)

Anonymous Coward | more than 4 years ago | (#30454602)

Get a mac?

I am confused. (2, Insightful)

TexasTroy (1701144) | more than 4 years ago | (#30454610)

Someone please explain. How is Windows secure (no pun intended) if Microsoft can release a tool, or script, which can get information from a password or encrypted system? Surely this cannot be an exploit to a backdoor. Does the use of COFEE require a user to already be logged in for it to work? Seriously. If this is the case, what keeps an evil-doer from using the tool to get into any window system they want and do whatever they want? If the tool has been leaked, then there is plausible deniability regarding any type of evidence on any windows box. Even if it were not leaked, this is proof that the windows platform is inherently insecure because there is a built-in method for bypassing its security features. Someone knowledgeable care to enlighten the uninformed?

Re:I am confused. (1)

Archangel Michael (180766) | more than 4 years ago | (#30454738)

No, you're not confused.

Re:I am confused. (1)

daveime (1253762) | more than 4 years ago | (#30455136)

Umm, because the password used to encrypt the data is on the SAME PC ?

Or to use a car analogy, the things inside a locked car are safe, unless you leave the keys in the lock.

Where are the (0)

Anonymous Coward | more than 4 years ago | (#30454628)

.. about DECAF and COFEE?

hmmm (0)

Anonymous Coward | more than 4 years ago | (#30454846)

this thing tries to access dns on startup and crashes if not allowed

seems suspicious to me

Re:hmmm (1)

daveime (1253762) | more than 4 years ago | (#30455138)

Half of the services on Windows try to access DNS. Even mundane stuff you wouldn't think of like Print Spoolers etc ... it's for network exploration, to see what's connected to your network, mostly (in little-girl-from-Aliens-voice).

And what does the COFEE generated data prove? (1)

fluch (126140) | more than 4 years ago | (#30455414)

Seriously, what does COFEE generated data prove? If my computer would run XP and for some reason some official would want to plug a USB stick with the label "COFEE" into it, then what ever data they claim to find I could deny easily that it was mine. After all, on the USB stick there could have been ANY program which plants ANY data on the computer it was plugged into!

As far as I know, part of proper computer forensics work is to first (!) dublicate the hard drive in question, then generate a checksum for both drives (which of course should be the same), and lock away one of the drives to a seperate place such that one can prove later on that nobody has changed the original hard drive and that the gathered data is authentic!

But this COFEE is just pathetic!

Re:And what does the COFEE generated data prove? (1)

Matey-O (518004) | more than 4 years ago | (#30456122)

It proves you don't know much about computer forensics, that's for sure.

Arrested Development Makes My Banana Stand (0)

Anonymous Coward | more than 4 years ago | (#30455456)

Arrested Development Makes My Banana Stand

It was forseen! (1)

Thoggins (1162149) | more than 4 years ago | (#30455514)

Slashdot users proved prophets for the nth time over: http://tech.slashdot.org/comments.pl?sid=1435688&cid=30021576 [slashdot.org]

Re:It was forseen! (1)

robot256 (1635039) | more than 4 years ago | (#30455918)

Who's to say that AC wasn't actually involved writing it at the time? :D

Re:It was forseen! (0)

Anonymous Coward | more than 4 years ago | (#30456292)

Who's to say that AC wasn't actually involved writing it at the time? :D

Are you insinuating, however subtly, that I am calling myself a prophet after posting anonymously while working on a secret anti-MS project?

If only I were *that* cool.

Re:It was forseen! (1)

Thoggins (1162149) | more than 4 years ago | (#30456310)

Stop that man! He has stolen my identity!

DECAF is not open source (0)

Anonymous Coward | more than 4 years ago | (#30456018)

DECAF is not open source, so you aren't really going to know for sure what it will do to your computer.

Oh yay! I cannot wait to install some unknown software on my computer that promises it will detect and block other unknown software.

No thanks... (1)

NastyGnat (515785) | more than 4 years ago | (#30456346)

I'll stick with my SODAS (Some Other Data Archival System). It run's on Linux and doesn't like COFFEE or DECAF.

COFEE? DECAF? Pointless. (0)

Anonymous Coward | more than 4 years ago | (#30456680)

My 2 cents:

If someone has physical access to your machine, you're likely going to be boned. I tried COFEE, it's nothing special. It's not a secret elite tool. If you are knowledgeable enough to secure things so that physical access to your machine doesn't matter, there is nothing that COFEE can do to you.

All the hype around this is not generated by anyone in info. sec. It's typical "scary" media coverage.

 

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>