A few weeks ago a.nolen reader Hubri5 alerted me to the sorry fate of two Tor researchers from Carnegie Mellon who didn’t ask the Department of Defense for permission to talk about their work on de-anonymizing the Tor network. These researchers, Alexander Volynkin and Michael McCord, had their Black Hat 2014 talk cancelled at the 11th hour; the talk was titled “You don’t have to be the NSA to break Tor: de-anonymising users on a budget“.
That’s bad behavior folks– bad behavior on the part of Volynkin and McCord. Always get permission from the DoD or The Tor Project before talking about Tor vulnerabilities. Tor must maintain the trust of its users– this is a matter of national security.
I don’t want to harp on the negative, so I’m going to talk about one company who did things right by Tor, and it seems, gave up valuable digital forensic analysis business in the process. Digital Forensics Solutions LLC is a New Orleans-based company that captures digital evidence for its customers, who presumably include law enforcement.
The driving force behind Digital Forensics is– or was, cause he’s not currently listed on their website– researcher Andrew Case. Case wrote a clever add-on for open-source memory analysis toolkit Volatility, which lets users reconstruct files even when ‘criminals’ have taken security precautions by only using random access memory on their machines. Case was able to reconstruct files even after they’d been scrambled by popular ‘live cd’ operating systems like Tor’s TAILs, Ubuntu or BackTrack.
Even though Case makes a living by exploiting the technological edge of digital forensics, he chose to give up that edge by making his research known to the wider world, and in particular, The Tor Project. Why, Case?
“You know with Tor, they deal in a lot of countries where there aren’t warrants or anything, so it’s, uh, it can be hectic.”
For Andrew Case, and Digital Forensics Solutions LLC, global citizenship trumps the profit motive. Tor helps places that, uh, don’t have warrants, like we have warrants in America. Case and his employer share that same wide-eyed altruism that inspired Operation Iraqi Freedom!
I’ve embedded a video of Case giving an ‘update’ to his Black Hat 2011 talk titled De-Anonymizing Live CDs through Physical Memory Analysis. This Black Hat talk was not pulled, because as Andrew explains in the video below, he contacted the appropriate players first. [Good stuff starts after 7:40. Not Work Safe.]
Q: So what did TAILs do to mitigate forensic analysis?
Case: So this is actually pretty interesting. When the abstract went online for the Black Hat talk it had mentioned TAILs, and analyzing the TAILs live cd, and it’s something that immediately hit their developers’ list and I emailed them and they started working on some stuff.
Tor Vulnerability Researchers: All The Tor Project wants is to be given a heads-up, so they can spin the vulnerability to the media in a way that preserves the public’s trust. As a Tor Project spokesman told the Guardian regarding Volynkin/McCord’s pulled presentation:
Organisers from the Tor Project said they were working with the Computer Emergency Response Team (CERT) at Carnegie Mellon, which is sponsored by the US Department of Homeland Security, to release information on the problems identified by the researchers.
“We did not ask Black Hat or CERT to cancel the talk. We did (and still do) have questions for the presenter and for CERT about some aspects of the research, but we had no idea the talk would be pulled before the announcement was made,” said Tor Project president Roger Dingledine.
“We never received slides or any description of what would be presented in the talk itself beyond what was available on the Black Hat webpage. Researchers who have told us about bugs in the past have found us pretty helpful in fixing issues, and generally positive to work with.”
Gee, Alexander Volynkin and Michael McCord, Tor is “generally positive” to work with. Just do the right thing already! Think of all those crying babies in Iran who don’t have, like, warrants. You can read more about Roger Dingledine, Tor’s president, here.
In the video interview I’ve embedded above, Andrew Case goes beyond the call of duty to plug The Tor Project’s ability to fix the vulnerability he discovered how to exploit:
“The first thing they [Tor/TAILs developers] do– as we talked about before, if you can pull the plug on the machine or just get memory wiped somehow, then there’s no evidence of what you did. So the first thing they did is like they implemented, it’s called K-exec, I’m not sure what it stands for, but what it lets you do is move it [the data? a.nolen] to another kernel, you know, another Linux kernel while you’re already in Linux without rebooting the machine.
So what they do at that point, when you tell it to shutdown, instead of only shutting it down and hoping that RAM clears itself, it boots into this minimal K-exec kernel, then goes back and wipes all the memory for you, that you were using. You know, overwrites it multiple times. So at that point, you know, memory is really gone, fairly instantly, as soon as you’re done using the system as opposed to hoping that the hardware is going to do that for you.
That was the first thing. And I think two weeks ago there was another TAILs release and that’s actually in there. And the second one was … I’m not sure it’s done yet, their project page was confusing… what they want want to do is whether using a CD or a USB stick, is as soon as you pull the USB stick out or hit the eject button on the CD, it boots into a separate, it uses a UDEV rule to see the device activities happening, and from there they go back and wipe all the memory again, sort of without waiting for the machine to cycle down– so if the door’s getting kicked in you just pull the USB drive out and your machine starts erasing itself and there really is no evidence of what you did.”
It’s interesting how Andrew, who makes a living by undoing the work TAILs claims to do, can go on to plug the Tor Project’s ability to undermine his own work in turn. To put this in perspective, imagine a narc glowing over Los Zetas’ ability to cover their distribution networks. The drug world can get ‘hectic’, but those Zetas deal in places where there’s no other way to become a billionaire… There’s something insincere in your Tor promotion, Andrew. Sometimes I feel like everybody’s on the same team.
On the face of it, Digital Forensics’ decision to throw away the competitive edge may appear to be a poor business decision. However, things become a little more clear when you consider who Andrew Case’s boss is: Daryl Pfeif, CEO of Digital Forensics Solutions LLC.
Clik here to view.
“Daryl Pfeif is drawn to emerging and useful technology like a moth to the flame.”
I lifted that cheeky little avatar from the ‘Board of Directors‘ page of the Digital Forensic Research Workshop or ‘DFRWS’ [no idea where the 'S' comes from- a.nolen]. This is her full blurb from the DFRWS website:
Daryl Pfeif
Chief Executive Officer, Digital Forensics Solutions, New Orleans, LA
Daryl Pfeif is drawn to emerging and useful technology like a moth to the flame. She attended her first Digital Forensics Research Workshop in 2004 and they haven’t been able to get rid of her since. She is the co-founder of http://www.DigitalForensicsSolutions.com and has over fifteen years of experience as a communications technology consultant and lead project manager in both the public and private sectors.
The DFRWS was started by the Air Force Research Laboratory (AFRL) Defensive Information Warfare Branch. Daryl is the skirt on the board, which also includes MITRE’s Eoghan Casey who “supports forensic R&D at the DoD’s Cyber Crime Center (DC3/DCCI)” and Wietse Venema, who writes forensic analysis software for IBM.
MITRE is a *grotesque* US government research institute/think tank, which spearheads the ‘Insider Threat Initiative‘, through which government employees are encouraged to rat on any co-worker who “expresses unhappiness with U.S. foreign policy” or shows sympathy for the “underdog“.
IBM has written a lot of social network analysis software, which a.nolen reader E. Oop alerted me to. [Thank you, E. Oop!] The jewel in IBM’s ‘Facebook’ crown is Analyst’s Notebook, which you can read about in this article comparing IBM’s product with that of their competitor, Sentinel Visualizer. Sentinel Visualizer is partly funded by In-Q-Tel, the CIA’s venture capital firm. The beauty of market forces + government money!
So those are Ms. Pfeif’s, er, bedfellows… suddenly it becomes clear to me why Andrew Case was so eager to give up his firm’s competitive advantage. Unfortunately, in real life the good guys don’t always win, and Digital Forensic Solutions’ website hasn’t been updated since 2012.
Image may be NSFW.
Clik here to view.
P.S. Wouldn’t it be ‘sooo NSA’ if the US gov could watch every file unscrambled by folks using Volatility software… #tinfoil!
Image may be NSFW.
Clik here to view.
Image may be NSFW.Clik here to view.
