Ditto. I am more concerned about what I will have for dinner than DECAF or COFEE…
If you need COFEE, then you are not doing forensics, and most likely don't have sufficient training to use it properly anyway.
Well.. it seems like the DECAF people keep on going, they've just released Version 2.
They had this to say about the recent storm of critisism
"We originally pulled the app because of legal pressure. With DECAF v1 originally set out to restrict forensic extractions made by Microsoft COFEE, it raised major concerns with its ethical nature and potential hazard to the disruption of criminal investigations. By us disabling the application, it freed us from any damage that might have happened in the event DECAF v1 was used to block forensic examiners from extracting data. We used the words "publicity stunt" because when we pulled DECAF v1 offline and disabled the applications, we had a lot of media attention. We decided to use that channel to raise awareness for better security and more privacy tools.
After the interview with Cyberspeak, we had a nice long phone conversation. During that time, they informed me of my hazardous circumstances and gave me excellent advice; take DECAF down. Of course, if you know anything about them over at Cyberspeak, you would know they are very intelligent on more then just forensics. They are pretty well versed with federal statues. It would be silly of me to think that I knew more then them, so I followed their advice and pulled the app."
I wonder what makes these guys tick?
Roland
Ovie had some salient points about the intent and impact of such a software package that seemed to get Michael from DECAF to pull the app.;
But now
Version 2 is finished. We are now monitoring Microsoft COFEE, Helix, EnCase, Passware, Elcomsoft, FTK Imager Port, Forensic Toolkit, ISOBuster, and ophcrack. We also give the user the ability to add their own custom signatures. We have also added CD-Rom monitoring. We no longer execute a "self destructive lock-down mode" but rather give the user the ability to execute files, to disable the device where the signatures were found, and start-up in monitor mode.
And it's back - the whole thing is odd at best and if it can add custom signatures can it be used upon itself to detect Decaf? It MD5 hashes the exe of an application to scan when it runs. You could theoretically do the same with an antivirus software as well to detect an exe and halt the process so what is the big deal about this?
DECAF keeps contradicting itself…all looks a little delusional to me.
DECAF keeps contradicting itself…all looks a little delusional to me.
How so? I've read the press release…while it reads like yet another example of someone writing too quickly, how does it contradict itself?
Thanks.
h
Gee, if they are that concerned about Federal "statues", I'm sure that they could find work cleaning monuments in the District of Columbia.
Greetings,
I wonder if Project Leadership Associates knows that their banner ad is running on the decafme.org web site?
If you listen to the Cyberspeak podcast, most of what they say in the new press release contradicts what they said in the podcast. Originally, they were trying to make a point, did so, and were content to call it done and move on. Originally, they were only targeting COFFE because it was a poorly written tool and they didn't want LE depending on bad tools. Originally, they didn't want to help criminals escape prosecution through the use of their tool.
Now they're releasing a new tool, targeting far more than COFFE, and don't seem to mind that the tool could be used by criminals in an anti-forensics manner.
The press release itself is inconsistent. It starts off saying "By us disabling the application, it freed us from any damage that might have happened in the event DECAF v1 was used to block forensic examiners from extracting data." Then they say that the disabling wasn't intentional, it was bad coding. Then the release a newer version, so clearly they're not worried about the legal implications either.
-David
There's a term they use on fark.com for people always looking for attention. )
My question would be (and mind you I haven't looked at the site) why would you trust a v2 of this tool as a user, knowing they can disable it remotely. Heck they could be pushing all this press to create a nice botnet for all anyone knows.
Although kovar's comment about the PLA banner ad is pretty funny to me (for some personal reasons).
Tom
Greetings,
They claim that they removed the "phone home" capability and remote disable feature from version 2, but your point is well taken. And until someone reverse engineers the code, we don't know what is really in there.
They could turn around in two week's time and say to LE "Hey, here's a list of IP addresses that ran DECAF, go get them!" too.
-David
They could turn around in two week's time and say to LE "Hey, here's a list of IP addresses that ran DECAF, go get them!" too.
David, I'm a little unclear how running DECAF indicates something illegal being done…
Harlan,
My bad, I didn't mean to imply that running DECAF was illegal. It was a toss off, a random speculation, that "Mike" might turn 180 degrees, collect IPs counter to his pro-privacy stance, and try to make the argument that anyone running DECAF had something to hide.
Put another way, there's no reason for anyone in any community to trust DECAF.
-David