[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Re: Guidance

J.A. Terranson wrote:
...
> accurate and completely
> supporting information
...

Alif,

Come now, my friend, you know very well that there is no such thing in 
computing unless you happened to be monitoring all internal and external I/O of 
the computing device in question at the time the alleged 'data' were allegedly 
'processed' by that computing device.

You put on a hat labeled 'computer forensic examiner' as a necessary matter of 
business practice, in order for other people to understand what you are when 
you are serving that role in some forensic situation. But by wearing such 
title, and by engaging in such business, you are forced to make gigantic leaps 
of imagination in order to offer opinions as to your finding of 'accurate and 
completely supporting information' after your forensic tools and your knowledge 
of software give you a glimpse of the past that is beyond the capability of 
mere mortals.

The problem, and the reason the entire industry needs to die, is that this 
creates a situation in which the side with the best imagination wins.

It doesn't help the discovery of truth for people with forensic tools and 
talent to suggest that their imagination is superior and therefore can prove 
conclusively what happened in the past.

No matter what safeguards you or the rest of the computer forensics industry 
develop, I will still be able to defeat your imagination because yours is 
limited by budgets and time constraints, whereas I am only limited by the 
lengths to which I am willing to go to deposit fake evidence and secretly 
control other people's computers.

Given the desire to do so, any motivated adversary could cause your computers 
to contain 'accurate and completely supporting information' of their choosing, 
without possibility of detection after-the-fact. It is only badly-executed 
intrusions or intruders caught-in-the-act that result in the owner of a 
computer system discovering that their security has been compromised.

This is the end result of the ability to execute arbitrary code or gain 
unauthorized physical or logical access to vulnerable computer systems.

When the 'computer forensics' industry requires of each practitioner a written 
and spoken caveat to this effect before and after every report that an examiner 
delivers to a client, that's when there might be some justification for the 
industry to exist at all. Until then, we're all a bunch of self-serving glory 
hounds who can't find anything better to do with life, and who don't mind 
putting other people at risk for our own short-term benefit.

We absolutely must be stopped. But that doesn't mean I will be turning away 
jobs myself. As long as this booming market keeps making me rich, I'll keep 
doing my job to the best of my ability. But I won't be happy about it until the 
nonsense stops and people start thinking rationally about how silly it is to 
trust computer data and call it 'evidence' -- it is digital dumpster diving, 
and the hard drive are garbage cans.

Be careful which garbage can you stand next to, because proximity to the 
garbage is now effectively a crime thanks to flawed computer forensics. We are 
all at risk unnecessarily, and full disclosure of the true nature of that risk 
is our only protection against persons of superior imagination.

Regards,

Jason Coombs
jasonc@xxxxxxxxxxx

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/