So Microsoft quietly released a USB drive to a bunch of law-enforcement officers to allow them to collect data (passwords, Internet history, cookies, etc) from “live” Windows machines. While this is “breaking news” today (probably more now, but this search only showed two pages on Google as of this morning), it seems that people have been talking about it since (at least) last year, and it’s almost May now.
Many people are freaking out that Windows’ security can be so easily defeated, which shouldn’t really be news to anyone when you’re standing in front of the machine. This is not some magic key that the police have that will allow them to breach every firewall on the planet and steal your secrets. So relax a little. If the police are standing in front of your computer, you’ve probably got bigger problems than them stealing your surfing history.
The biggest theft of data I personally know about was a server that was stolen from a Vancouver Law Firm of Note because someone with a hand-cart told the receptionist they were “here to work on the computers,” walked through the accounting department, opened the sliding glass doors to the server room, unplugged the primary document server, and rolled it back out the front door. Nobody knew anything untoward was happening untilthe System Administrator started getting “I can’t save” phone calls. Their firewall and security didn’t help them against a simple “walk up and take it” approach.
Physical breach of a workstation pretty-much guarantees loss of security/privacy.
Here’s some questions I have about this Cofee thing:
- Remember when some people started bashing crypto groups with a “What do you have to hide, are you doing something illegal?” argument? Maybe those same folks are running to the nearest BestBuy and trying to buy “strong” security software. I’ve got news for you folks: if you can BUY it, and it’s not OpenSource, chances are extremely freakin’ high the People In Charge already have keys for that, too.
- Do you really think Joe Consumer will switch to Ubuntu because maybe the cops can get at their surfing history?
- Don’t you think similar toolkits exist for Linux/Mac?
- What constitutes a “search” and whether or not they’ll need to convince a judge that it’s justified to pop one of these thumb drives into your machine for 30 seconds. They’re not *doing* anything to your computer, just popping a drive in there for a second.
- What happens if you’ve got a visitor kiosk in the lobby of your office, attached to the network, and someone pops one of these drives into an exposed USB port (not that there would *be* any, of course).
- How is the data that’s been collected protected against tampering/theft?
- What’s to stop people from writing a “De-COFEE” utility that’ll look for signs that the USB drive inserted is a COFEE device, and simply wipe it, or inject something that’ll do horrible things to the law enforcement systems they’re later plugged into?
- What’s to stop a “Wipe local drive upon COFEE detection” utility?
- Expressed in minutes, how long do you think it’ll be before this kit’s utility set accidentally finds its way onto the Net?
- …in hours, how long before I start getting comments on this blog about Linux-based USB drives that’ll perform EXACTLY the same function?
- …in days, how long before there’s a new MSN-messenger-based Trojan that’ll do the same thing?
Maybe this’ll mean that they’ll have a standard method of collecting information about what is being done with a particular computer, instead of the current rather haphazard methodology that’s being used, which essentially means conviction (deserved or not) is based on how computer-savvy the local police detachment happens to be, and whether or not they can tell a usb drive from a book.
All in all, I think it’s a good thing, and I think the backlash against it, and the overall strengthening of everyone’s tools will be a positive thing.