Forgot your password?
typodupeerror
Privacy Software Linux

A Linux-Based "Breath Test" For Porn On PCs 345

Posted by timothy
from the child-porn-claims-the-ultimate-smear-tactic dept.
Gwaihir the Windlord writes "A university in Western Australia has started beta testing a tool that's described as 'a random breath test' to scan computers for illicit images. According to this article it's a clean bootable Linux environment. Since it doesn't write to the hard drive, the evidence is acceptable in court, at least in Australia. They're also working on versions to search for financial documents in fraud squad cases, or to search for terrorist keywords. Other than skimming off the dumb ones, does anyone really expect this to make a difference?" The article offers no details on what means the software uses to identify suspicious files.
This discussion has been archived. No new comments can be posted.

A Linux-Based "Breath Test" For Porn On PCs

Comments Filter:
  • by nweaver (113078) on Tuesday November 04, 2008 @02:01PM (#25629651) Homepage

    It looks for files like "guyongirlonsheep37.jpg"

  • by i.r.id10t (595143) on Tuesday November 04, 2008 @02:01PM (#25629655)

    Quick! Whats the RGB color value for "pink" ?

  • by denis-The-menace (471988) on Tuesday November 04, 2008 @02:04PM (#25629695)

    Now everybody in Australia is guilty until proven innocent!

    • by SupremoMan (912191) on Tuesday November 04, 2008 @02:10PM (#25629797)

      Now everybody in Australia is guilty until proven innocent!

      I thought that was the founding principle of Australia :)

      • by Maclir (33773) on Tuesday November 04, 2008 @02:49PM (#25630549) Journal

        Remember, we were selected by the best judges in England...

        The difference between the USA and Australia - first, England rounded up all of it's religious fanatics, and sent them to the American colonies, then they rounded up all of these criminals, and send those to the Australian colonies....

        • Now we just need to identify the criteria used when the rest of Europe sent people to the English colonies..

        • Re: (Score:2, Informative)

          by scientus (1357317)
          We've got our debtors colony too: Georgia. But yeah what you guys are missing is that the crime was being debtors, something that today you would declare bankruptcy to. Although new US banking laws could push America back in the direction of those days in general they were not really criminals in todays since, they just were poor and didn't kiss the rich peoples ass.
        • by russ1337 (938915) on Tuesday November 04, 2008 @03:17PM (#25630957)
          on a flight from DFW to LAX, I was recently asked by the American in the seat next to me 'where New Zealand got it's heritage - because, you know, Australia was a criminal colony'.... my answer: oh, dont mess with New Zealand...

          Australia rounded up its worst criminals and sent them there...
        • by onkelonkel (560274) on Tuesday November 04, 2008 @03:21PM (#25631025)
          So the Australians won the coin toss and got to pick?
        • Re: (Score:3, Funny)

          by phorm (591458)

          The mentally deficient, ruthless, and inbred of course remained safely at home (and in noble circles, more often than not).

        • by sjf (3790) on Tuesday November 04, 2008 @03:25PM (#25631091)

          It's not the folks descended from criminals that worry me. It's the folks who are descended from the prison wardens who cause all the trouble.

        • by syousef (465911) on Tuesday November 04, 2008 @03:31PM (#25631189) Journal

          The difference between the USA and Australia - first, England rounded up all of it's religious fanatics, and sent them to the American colonies, then they rounded up all of these criminals, and send those to the Australian colonies....

          In those grand traditions I propose the following test...

          Turn the laptop on, tie a large weight to it. If it floats, it's a witch! Burn it! If it sinks it's innocent. Pity it didn't survive.

        • by sorak (246725) on Tuesday November 04, 2008 @04:45PM (#25632333)

          Remember, we were selected by the best judges in England...

          The difference between the USA and Australia - first, England rounded up all of it's religious fanatics, and sent them to the American colonies, then they rounded up all of these criminals, and send those to the Australian colonies....

          So where did they send the dentists?

          <ducks>

  • Helix (Score:5, Informative)

    by davrodg (889968) on Tuesday November 04, 2008 @02:05PM (#25629705) Journal
    Helix can do most of the "breath test" functionality referred to, and is a great forensic Linux distro. Helix is also considered a viable method in which to capture data that is consistent with the chain of custody that is required for evidence to be presented to a Judge. Check it out... http://www.e-fense.com/helix/Download.html [e-fense.com]
  • by Jane Q. Public (1010737) on Tuesday November 04, 2008 @02:05PM (#25629709)
    ... would be to get a hash value for individual files, and compare that to known hash values for known infringing files. And there are already tools that do this.
    • by Hatta (162192) on Tuesday November 04, 2008 @02:12PM (#25629831) Journal

      And trivial ways to get around it. An encrypted file system is the obvious solution, but hell if they're just checking hashes you could use ImageMagick and a very small shell script to very slightly alter the image, giving you an entirely new hash.

      • Re: (Score:3, Informative)

        by click2005 (921437)

        There was a slashdot story a few weeks back about a company claiming to be able to detect images inside encrypted drives.. http://yro.slashdot.org/article.pl?sid=08/07/17/2043248/ [slashdot.org]

        If they're just checking hashes you could change the R,G, or B of a random pixel by 1 and change the has.. or even just add random text to the EXIF data.

      • Re: (Score:3, Insightful)

        by ucblockhead (63650)

        An even better way is to get a machine that will boot off of a USB key, and put all the "interesting" pictures on such a key, perhaps encrypted. It is a lot easier to hide a USB key, and this gives you a computer that is itself completely clean so you don't have to deal with demands for encryption keys.

        • Re: (Score:3, Interesting)

          by FictionPimp (712802)

          I have an encrypted disk that is full of encrypted disks. They are labeled backup_date and important_documents_date, etc. I have a special one named long_term_storage that is for 'special' files I do not want the rest of the world to have access to but do not belong in a category I set up.

          So not only do you need my encryption password to boot my notebook, but then you need to know the password of the individual containers to see what is inside them. That is of course assuming I don't have any hidden contain

    • Re: (Score:3, Insightful)

      by blueg3 (192743)

      It looks like it's just a tool for previewing media on the drive while maintaining forensic integrity. Certainly something a person trained in computer forensics could do without the tool, but this is targeted at people with minimal training, it seems.

      Of course there are plenty of easy anti-forensic measures, but the goal is probably to cut down the time spent per case on the low-hanging fruit (which is the majority of cases) to reduce backlog.

  • forensics (Score:5, Insightful)

    by Lord Ender (156273) on Tuesday November 04, 2008 @02:07PM (#25629733) Homepage

    Computer forensics is hard, expensive, and time-consuming. I would guess this is just a tool for cops to save cash in criminal investigations compared to hiring an expert, or at least to triage which systems need to be investigated by an expert.

    Also, if your friends are IT staff and your online watercooler is slashdot.org, you may think everyone but the "dumb ones" knows how to encrypt a drive. But the reality is that the vast majority of criminals have never heard of Truecrypt.

    • Re:forensics (Score:5, Insightful)

      by Jabbrwokk (1015725) <<grant.j.warkentin> <at> <gmail.com>> on Tuesday November 04, 2008 @02:18PM (#25629937) Homepage Journal
      I think you are correct. Most criminals are dumb. And I think you're right about this being a cash-saving tool. From the article:

      The design concept is that any police person with adequate training could use the tool, so that when they go into a crime scene they can quickly review a computer for illicit images or videos.

      Sounds like it relies more on officers' eyeballs than algorithms to do a quick scan for anything obvious. This tool will help them quickly move through the easy stuff, and allow them to focus time and resources on the more sophisticated criminals. [gulf-times.com]

      • by WK2 (1072560)

        Your example of a "more sophisticated criminal" is a man who uploaded photos of himself abusing children. He didn't even black out his face. He "swirled" it in such a way that it could be easily unswirled.

    • A local forensics expert says the same thing of his practice. In fact, last time I heard him speak about it, he said he'd never encountered encryption in a case he handled.

      There's some sample bias going on there, because he refuses to handle some cases, and child pornography is one of the things he won't touch.

      BitLocker may make encryption more mainstream.

  • Could someone who is a lawyer better explain this? Is it not a challenge to forensics if you challenge the method of the forensics? Even highly reliable software averages about 1 error per kloc, seems like it would be easy to have a field day with poking holes in "detection" software. Are Australians not allowed to challenge the devices used to catch them in crimes?
    • by faloi (738831) on Tuesday November 04, 2008 @02:17PM (#25629917)
      IANAL, but the summary (at least) gives no indication that the forensic tool is going to be the last word. It's a bootable distro, so presumably the system has already been confiscated by whatever organization cares most about the potential crime. The forensic examiner(s) responsible for looking for data with the evil bit set boot to this CD and see if it flags anything. Then they examine anything that's flagged, and prep it for court.

      Doing a thorough exam of an average drive can be time consuming, even if the user is kind enough to leave all their documents handily in the "My Documents" folder. Trying to examine several machines in a timely fashion would benefit greatly from a tool like this. If the disk flags something, and it's really illegitimate, the data just needs to get cataloged. Think of it as helping go for "low hanging fruit" that can be used to convict someone, without being as resource intensive as a full manual scan. I'm guessing that if the disk doesn't turn up anything, there will still be a long manual process involved to see if there's something there.
    • by blueg3 (192743)

      They mean that you can't challenge whether the data was acquired in a forensically-sound manner. If the software does any determination of if the image is illicit or not, that's undoubtedly not valid in court. However, the system is to write the illicit images to a removable medium (CD-R) and verify that they are illicit through standard procedures.

    • by TheRaven64 (641858) on Tuesday November 04, 2008 @02:31PM (#25630191) Journal
      Sounds dubious to me. In most jurisdictions I'm aware of, you are not allowed to connect hard drive to a machine physically capable of writing to it if you want anything retrieved from it to be admissible in court, and you need a chain of custody showing this. Software write protection is not good enough, you need to physically disconnect the write pins from the cable (no idea how they do this from SATA - probably something which intercepts write commands and blocks them and goes through an expensive approval process to ensure that it works).
    • by LrdDimwit (1133419) on Tuesday November 04, 2008 @02:42PM (#25630395)
      The minute you change the contents of that hard drive, you open the door to claims of tampering with evidence. "Your honor, the kiddy porn only showed up after the police 'inspected' it. They planted all of it." That's what 'chain of custody' means. Police have procedures to follow to ensure that evidence can't be tampered with.

      Good meatspace analogies would be OJ Simpson's DNA showing up on evidence only after he gave a blood sample. More hypothetically, say the cops take your backpack as evidence. What happens to it? Well, it sits in a police warehouse storage facility somewhere, possibly for months. If any cop has access to that backpack on demand for this whole time, then there is effectively have no way to prevent someone from stuffing the bag full of drugs. No accountability. So for meatspace evidence, there are very strict rules that say you have to keep track of every person who has access to that piece of evidence. There can be no exceptions.

      The equivalent in the computer forensics world is that you have to guarantee you didn't alter the original equipment's hard disk. Proper forensic analysis involves making a *copy* bit-for-bit and then analyzing this copy. The new thing here is a bootable CD that presumably has been rigorously tested and certified (by who, I couldn't say) that it literally cannot modify the hard disk.
    • by Ozric (30691)

      It just copies the suspect files to external media.

      Someone will still have to look at those files to see what they are.

      This is just a tool to save them from groking the files.

      The manner they use to find files on a system they already took in to evidence is not an issues
      so long as the systems media remains unchanged.

      The original evidence is preserved. Who can you challenge that?

  • There goes my secretledger.doc and terroristplottotakeovertheworld.doc!

    • by Lumpy (12016)

      rename them digdug.exe and pacman.exe

      Oh crap, the penalty for software piracy is torturous death while terrorism gives you only life imprisonment.

      sorry.... my bad.

  • It's always about censorship and blocking and denial. That's all I hear now coming out of Australia.

    That's too bad. Was thinking of going there on vacation. Guess I'll go spend my money elsewhere.

  • as breast test... would've been more appropriate, too.

  • Psych-Ops (Score:5, Interesting)

    by unlametheweak (1102159) on Tuesday November 04, 2008 @02:12PM (#25629821)

    The article offers no details on what means the software uses to identify suspicious files.

    I highly suspect that the police don't want people to know the details of how sophisticated their technology is because they don't want to embarrass themselves. Keeping an aura of mystery and FUD around themselves and their techniques is also a form of psych-ops; it's the chrome facade of a lemon.

  • Sure, I can be compelled to provide the passphrase in court, but a dose of 256-bit AES keeps it on the down low to tools like this.
  • Illicit? (Score:3, Insightful)

    by reidconti (219106) on Tuesday November 04, 2008 @02:18PM (#25629933)

    Last time I checked, porn was not illegal.

    • They mean child porn

      Even then, it checks only the "available" files (not checking deleted, or encrypted drives). So hopefully police will use this, and if your computer passes the test, then you are free to go instead of taking your computer for months.

      Funny thing is, all this "checks", is known hash values of child porn and means 3 things:
      1: Edit a pixel on all your images
      2: Encrypt/steganography your images
      3: or Make your own and don't distribute

      The only thing they are doing with these new systems
      • On point 1, does that mean that you could just make a program that will go through a set of files, take pixel (0,0) from each and give it a random RGB value, and the hashes would be different enough just from that that they wouldn't match up with searches for known images' hashes?
    • Re: (Score:3, Informative)

      by Paul Slocum (598127)
      The FA's title actually mentions that it's specifically for child porn. But some employers might also be interested in the tool since it's against many company policies to have porn on work computers.
    • Re: (Score:3, Interesting)

      by sanjosanjo (804469)

      Last time I checked, porn was not illegal.

      While the summary says "porn", the article is referring to child pornography - which is illegal.

  • after viewing where most pron actor and actresses' mouths go, i don't want to know anything about a "breath test"

  • Oh great, expect that in a few years they will be running this on international travellers as a standard part of customs.

    Got to stop that kiddie porn. Everyone knows they are too stupid to traffic it via encrypted Internet traffic, or DVD's mailed in the post.

    • by gstoddart (321705) on Tuesday November 04, 2008 @02:27PM (#25630105) Homepage

      Oh great, expect that in a few years they will be running this on international travellers as a standard part of customs.

      Sadly, this seems to be a part of a trend. Part of travel now means that you need to be subjected to complete search and inspection to make sure you haven't done anything wrong.

      This includes fingerprinting, gathering of biometrics, and having all of your personal stuff exhaustively searched to ensure you have no porn, terrorist material, copyrighted material you can't prove you bought, or anything critical of the government of the country you're entering.

      If you have probable cause that I'm smuggling something, maybe. But, in the case you point out where we scan everyone so they can prove themselves innocent ... well, modern society is pretty much hosed in that case. However, that seems to be where we're going lately.

      Cheers

  • SECAU was also considering another purpose-built CD to search financial documents for use by a fraud squad or those hunting terrorists using keywords.

    Another example of how the fight against privacy has little to do with terrorism. Perversion is of greater concern to the Right Wing than fighting violent crime.

  • Perhaps they're trying to scare most of us straight, perhaps shake out a few confessions? "If you tell us you've been downloading illegal porn rather than MAKE US look for it by tearing through your system, the judge will go easier on you." Good cop bad cop anyone?

    It's all a game to them when you're being brought downtown on a trumped up charge to be leaned on by halfwits. (with excuses to Bryan Singer for the obvious Usual Suspects reference)

  • My understanding is that for serious computer forensics you need to work on bit-level duplicates of the original drive, with the original protected by a hardware write-blocker from the moment it's extracted from the original machine (and doing that without risking loss of evidence is quite a challenge in itself, coming down to a choice between data loss through a specially modified shutdown.exe or data loss through yanking the mains). There's just no other way to properly guarantee that the data is pristine
  • 2009! (Score:2, Funny)

    by flattop100 (624647)
    It's the year of Linux on the Desktop! And to think of what the reaction would be if this ran on Windows.
  • by CompMD (522020) on Tuesday November 04, 2008 @02:53PM (#25630605)

    #include
    #include
    int main()
    {
            printf("Searching for stuff the user isn't supposed to have...\n");
            sleep(30);
            printf("Illegal material found! Seize computer and arrest owner!\n");
            return 0;
    }

  • Guess I better start deleting my wmv's of Bin Laden doing hot Enron executives.

  • Border patrol using this on all laptops in 3... 2... 1...

  • Buy a copy of this software and pre-empt it by scanning? Of course encryption would work too...
  • by RichMan (8097) on Tuesday November 04, 2008 @03:20PM (#25631001)

    Anyone serious enough can hide the data. As usual we all get hassled and only the stupid get caught.

    1) install a game with huge data files
            - Example World of Warcraft
    2) make a dummy side directory off the game install
    3) drop in a huge binary file with the same extension as the game data or patch
    4) mount dummy file as encrypted file system
    5) delete mount line before crossing the border

    "No idea what that file is. Looks like part of the game to me."

    No way they can have a database of all possible good binary files to ignore.

  • Breath Test (Score:3, Funny)

    by VorpalRodent (964940) on Tuesday November 04, 2008 @04:30PM (#25632073)
    I'm not familiar with the term "Breath Test". In this case in particular, wouldn't a "Breast Test" be more useful? Unless of course they're specifically excluding necrophilia from their search criteria...

I'd rather just believe that it's done by little elves running around.

Working...