Monthly Archives: October 2018

CERT and The NZ Police should provide revenge-porn victims their file hashes

Posted on by tom

They often say the internet has no delete button.

It's a very useful analogy to explain to new users of the internet the gravity of certain areas of their personal computer and information security: maybe think twice before uploading semi-sensitive information, and three times for anything more secret. Once it's on the internet it can be hard to delete.

How to delete files from the internet:

One way could be to create a "hash" of the file you want gone from the internet, and then you know what you don't want to know, without knowing it! Amazing. Example time:

Assume the file is named horrific-revenge-porn.jpg

The following hash (random encrypted strings derived from the picture of an idiot) can be used instead of the actual offensive / suppressed original file data - makes sense if you are trying to delete the file not to hold it! It can be given to administrators to guarantee a system does not have a copy of the file:

Horrific revenge porn

Horrific revenge porn

sha256: c8b3c2a03380f577fa9d6b67ee15e40a9f8f9a076073ea56e5b5adb2e9ffe32c
md5: 79768d44c2aca6ed68d8157130265c05
crc32: b5513fdf
bytes: 50323

For the very most extreme cases, involving criminal contraband information such as the unfortunately case of the kiwi man from Hastings sentenced to 4 years for secretly filming his female Airbnb guests, CERT and The NZ Police should offer to provide file hashes to the victims of criminal data breaches like revenge porn and so forth.

This would enable the following desirable privacy benefits:

  • ensure the banned files are not held on owned computer systems
  • securely provide the means for others to also do so
  • nothing about the files contents can be said from looking at the random letters*
  • a registry of illegal files would help large ISPs to keep their disks clean
  • an infinitely large file - even a 50 GB file - is reduced to a short piece of text
  • its not encryption - it's an irreversible scrambling of any file to a set sized chunk of gibberish

For example, lets say this picture above is some revenge-porn you made once but was posted by your evil ex-partner or stalker, and now you'd like it gone from the nets; in theory if you put the file hashes into a government registry, one day ISPs can do seasonal scans and wipe files matching.

China likely does this to laser target and delete entire sections of internet from it's citizens. They probably have scanners running 24/7 to find old shots from the Tiannamen Square Masacre - and perhaps even this new shot - this time the guy is flat as a pancake after being literally "rolled" by a tank:

China Rogue State

China Rogue State

SHA256 is the current state of the art. You can get SHA512 also but its twice the length.

MD5 was huge for a very long time. Popular for verifying big .iso files after downloading.

CRC32 is not a hash, but its a checksum maintained by your computer in the disk that can also be used in a similar way. It will detect a single bit change, but unlike a true secure hash, you can pad the altered file to get the same CRC32 for a different file easily (if you add a bit, then delete a bit also, it is just each byte added together essentially).

Collisions

While it's theoretically possible for two different input files to create the same hash - a hash collision - if you use two or more different hash types like above or even just also including the filesize in bytes: 50,323 bytes in this case, you eliminate the false positive potential.

Also, any large ISP isn't going to want to automatically delete files based on just one parameter. For use by a sovereign national police force I'd recommend using all four: bytes, crc32, md5, sha256 plus a category eg: kid-porn, espionage, credentials, financial, medical/health, military, government, personal privacy, government, education, entertainment (here we hit a snag: the copyright industry).

The way a hash completely changes with tiny little single bit alterations to the input file, to get a hash collision is going to require a wildly different filesize, say 50 Kb versus 50 Tb!

The commands to get this on my mac were:

shasum -a 256 [bad-file.jpg]
md5 [bad-file.jpg]
crc32 [bad-file.jpg]
ls -la [bad-file.jpg]

What's nice is that you can double check your hash using a different program, openssl:

openssl sha -sha256 [bad-file.jpg]

Now you can quickly compare huge files without transferring them; and detect tiny alterations to big files.

Syntella macOS Forensics Tool

Posted on by tom

DownloadSyntella.app.dmg

Syntella (Download v0.2.2) is an open-source macOS forensics tool that creates a text file report that tells you about exactly whats running on your system, open connections, services, network connectivity, disks, USB, global ping time network checks. It takes about 5 minutes to run and gives you a text file with a timestamp that you can "diff" against earlier files to see changes easily.

It's designed for advanced mac users to check there system is safe, and for regular users peruse and give to an expert for help with. View the example report.

It is licensed as open source via the Apache 2.0 license, source code (click Syntella.sh to see what it's doing behind the scenes).

I capture a copy of all the reports via encrypted link to tomachi.co

In exchange for your use of the software I am collecting it's output presently, this can be disabled for a fee.

At this time I do not have automatic deletion of reports setup, but they are at difficult to guess web URLs only reported in the app and not linked from any places online. If the app becomes popular I'll begin deleting reports on a daily rotation to ensure privacy but still give time to download.

Privacy Sensitive Categories Collected:

The labels but not the contents of:

Wifi names, machine name, hardware serials (no software is checked at all), Mac addresses, processes, programs, ports, servers, services, disk free, network connections, open files, router tables, users logged in, tunnels, mounted volume names,

We don't capture any user files or filenames, unless they are open. So consider which websites you were visited just before running it. Netstat will still show closed connections for at least 2 minutes after closing, due to the the CLOSEWAIT and TIMEWAIT states of TCP/IP.

This app collects a bunch of output from these OS tools and compiles them into a single text file you can diff from time to time to see changes.

Run from compiled Application (easy)

Download the app at  https://tomachi.co/downloads/Syntella_v0.2.1.dmg

Run from source code (advanced)

Since this is security software, it's open source. You can read it and see everything it does. But you will need to also install:

  • homebrew
  • git
  • curl
  • nmap

This shell script will run a range of diagnostic tools against your machine. To install it enter at the terminal:

git clone https://github.com/tomachinz/syntella/ ~/syntella

Then to run it use:

~/syntella/syntella.sh

Or just double click the syntella.sh file icon.

To receive updates type:

cd ~/syntella/

git pull