Pages

Monday, May 21, 2012

My Apology

On 19 May, something of a firestorm seems to have erupted.  While I don't know most of what's been said, nor by whom, some friends have expressed concern over what they've seen, so I thought I would take a moment to apologize for my actions.  I realize that my actions were wrong, and for that, I sincerely apologize.

Around the beginning of the year (to be honest, I don't remember the exact date), I posted my Jump List parsing code to my Google Code site.  The archive I posted consisted of two Perl modules (JumpList.pm and LNK.pm), two Perl scripts (jl.pl and jl2.pl), and a PDF user guide document.  During development and testing, I found that the jl.pl script did not work correctly...it failed to function at all and quit with an error regarding a function (i.e., getLNK()) call to one of the modules...that function call did not exist within the module.  The Perl interpreter would not allow the script to run.  I opted to leave this code in place and post the archive, in order to see how many people would download it, and of those, how many would report any issues. 

On 2 Jan, I posted updated, corrected code to the download site.

The Issue
On 15 May, I posted a comment to the Jason Hale's blog.  Here's the comment that appears to have caused all of the issues:

well, that's the one I wrote so that it wouldn't work...it was a social experiment, to compare the number of downloads to the number of folks who say anything about it not working. So far, only 2 people have said anything about issues with the script...

On Saturday, 19 May, I received emails from two friends while I was offline stating that there were discussions about my comments occurring online.  When I did get back online later in the day, I could not see most of those comments, so I don't know what was being said.  Further, I do not have a Google Plus account, so I could not see what was discussed in this forum, either.  I did receive an email on Sunday morning (sent to me late Sat night), where someone expressed their concerns and feelings to me.

Was there any deception?
Absolutely not.  The jl.pl script did not work.  It did not report incorrect or deceptive data.  There was no "joke app".  The Perl interpreter did not allow the script to complete, regardless of any arguments passed to the script.  In fact, the same error would have occurred, regardless of what data was passed to the script.  The Perl interpreter prevented the script from processing any data.

Does this issue affect any other code?
Absolutely not. 

This script is in no way associated with RegRipper.  It is not part of RegRipper, nor any other tool or script I've ever released. 

Have you conducted any other "social experiments" without anyone's knowledge?
Absolutely not.  Nor will I do so again.

My Apology
I realize that what I said in my comments to Jason Hale's blog, specifically the two words "social experiment", are what appears to have generated the reaction that many are seeing online.  I sincerely apologize for the use of the term, and I sincerely apologize for purposely and knowingly releasing code that did not work.  It was not the best judgement to do this, and I realize that, and apologize for my actions.  I have not done anything like this before, and it will never happen again.  I am deeply sorry for any ill feelings of mistrust or betrayal my comments caused.

30 comments:

  1. Anonymous9:20 AM

    I'm very disappointed in you. Do you have any idea what this could do to your credibility as an expert witness? A defense lawyer would love this. All he has to do is plant the tiniest seed of doubt in one jurors head... Do you play these games with your books?

    ReplyDelete
  2. Do you play these games with your books?

    I'm sorry for not being clear enough on this in my apology. No, I do not.

    ReplyDelete
  3. Thanks for posting and having the courage to do so. True experts acknowledge when they are wrong and take corrective action, which you have clearly done (although there is nothing legally wrong with this, it's not as if your code produced false or incomplete results, it simply didn't work). I appreciate your courage to publicly apologize to the DFIR community, and I look forward to benefiting from your knowledge and contributions in the future.

    ReplyDelete
  4. @Anonymous
    If you simply use tools output when reporting to court/anybody, you will get some troubles despite Harlan's scripts.

    It's up to DFIR "experts" to spot faults/errors from tools, since they will base conclusions on them. But then they will be called to explain those conclusions and those artifacts regardless of the tool used!

    @Harlan
    I can understand- even if I do not agree - the reasons that caused you to apologize, and as a well-known DFIR expert you proved another time that your great reputation is deserved.

    Finally, I cannot bear that two simply words could cause that mess.
    Less complaining and more supporting will help the DFIR community a lot, just talking on "social experiment" is cheap...

    ReplyDelete
  5. Hi Harlan,

    I wasn't sure if I should reply to your post via email privately or comment publicly but figured even though I am not really in the industry, I might have similar feelings about this episode as others. FWIW here's my 2 cents.

    Whilst I am disappointed at your actions, I can kind of understand your frustrations at the lack of feedback.
    The way you decided to handle it wasn't the way I would have expected a professional to behave (ie not informing your audience of known issues ASAP) and for that I am sad.
    Realistically though, we are only talking about a couple of days before you corrected the code. I'm glad that you did the right thing in the end.

    I checked my TODO folder and found that I downloaded the corrected JL.zip file on 31 March 2012.
    Not having any test data, I wasn't going to run any scripts but just wanted to see how you were coding it. I assumed that if you released it, you must have tested it. "Hey, I can trust Harlan right?"

    Anyway, you have done/will continue to do some great things and I am very grateful for it. I also am grateful for your various mentions of my blog from yours. The additional exposure has helped me meet a lot more DFIR'ers than I thought possible.

    I hope we can all move on from this moment and continue to "catch bad guys".

    Ironically, there probably won't be a lack of feedback on this post eh? ;)

    Regards,

    Adrian "Cheeky4n6Monkey" Leong

    ReplyDelete
  6. Okay, not the smartest move in a long string of very smart moves; but no one got hurt, nor could anyone have gotten hurt by your brief experiment. The error wouldn't return anything that should be mistaken for a successful operation.

    No defense lawyer can make hay with it anymore than they could gain traction from the countless other products we use daily that have some error or another in their code. If anyone on the lists believe they are using flawless forensic suites, I have some Florida real estate and a New York bridge they might like to buy.

    It takes a big man of sterling character to apologize unreservedly as you've done. I hope that's the very last of it.

    ReplyDelete
  7. Anonymous1:24 PM

    Hey. I'm a Unix person by trade and your blog in part of my Google Reader feed, just a few 1000 articles I try to absorb each day.
    Your apology caught my eye as did some of the people who expressed "disappointment".
    The world seems to have become a place of complaining leeches.
    You put out some code for free, you posted a correction to the code at a later time. You were curious to see who would notice the broken code and comment. I see nothing wrong with any of that. The code didn't operate in any malicious way, it was just a non working piece.
    I don't believe you have anything to apologize for as you give so much for free as it is. I should read some more of it sometime :)
    Please keep writing and providing to the forensics community and this is so much a storm in a tea cup.

    I don't want to start an argument with those people who are "disappointed" but just express my support.

    Regards

    ReplyDelete
  8. Anonymous1:25 PM

    Pfft. Never underestimate the foolishness of a thousand pundits, each striving to express a more memorable opinion than the last. The most regrettable part in all of this is that a problem was created out of nothing for which you are forced to apologize in order to "preserve" your reputation.

    The obvious learning here? Play your cards close to the chest.

    ReplyDelete
  9. I my opinion, you did anything wrong by using the word social experiment, or by conducting a social experiment. The internet IS one big social experiment and those that ride the waves participate.

    Those that are offended, disappointed, etc might want to reconsider/shift their paradigm.

    I appreciate your apology and understand, but for me it is necessary.

    ReplyDelete
  10. Anonymous3:08 PM

    Harlen,

    As an avid follower of your books, blog, and RegRipper (and other related software) for the past several years, I can understand your potential frustration of "testing the waters" to get opinions. As in the past you post questions and get very few responses and/or feedback. As with any software (even forensic software) .. the examiner must verify before coming to a conclusion.

    Keep up the great work for the IR and computer forensic industry. I believe the larger number of folk recognize the man of integrity that you are!

    ReplyDelete
  11. Jimmy_Weg5:08 PM

    To be very brief, I agree with Craig. Intentions count for a lot, and yours were honorable. How many times have any of us thought, "Gee, I wish I had done things differently?"

    ReplyDelete
  12. I'm in full agreement with Craig Ball. All software has good parts and bad parts. If we are going to testify as an expert related to any of our tools results, then we have to explain why we trust the tool for the specific task we used it for.

    I've found and reported to the developer company lots of software bugs that cause false results to be reported. I find those situations far more worrisome than a tool that simply fails regardless of why the software fails.

    In fact, if I were the person crossing a computer forensic expert I would ask: What tool failures have you found and what did you do when you found errors in the software you were testing?

    If a supposed expert doesn't have first hand experience of software failures, he is likely not a very experienced expert in the first place.

    ReplyDelete
  13. Anonymous5:52 PM

    Newsflash: great contributor to DFIR has a moment he regrets. That moment, far outweighed by his selfless contributions over the years, arose from frustration over a lack of feedback from those many who view his contributions as a one way street.

    I dunno, sounds pretty human to me. And there was I thinking HC was a demi-God!

    Nothing much to see here folks, move along.

    ReplyDelete
  14. Harlan,

    For those that do not know, I was one of the people who criticized Harlan for his statements. It started publicly and then I emailed you about it. My main concerns were the "Social Experiment" comment & the possible ramifications this could present in court as it applied to the use of other tools/scripts produced by you. My gripe had nothing to do with the jl.pl script, just his actions surrounding it.

    Even though we did not see eye to eye, I believe your dialog with me was genuine and I appreciate this post explaining the situation from your side of the table.

    I have said this on a number of occasions and I'll say it again, Thank You for all of your contributions to the DFIR Community.

    Finally, let's grab an adult beverage next month at the SANS Summit

    Joe Garcia

    PS- Anyone commenting on this should really not be posting Anonymously. If you are going to make a statement, own up to it.

    ReplyDelete
  15. Anonymous10:38 PM

    Hi Harlan,

    I'm not sure if its the fact that we are in the security industry and that tends to place your readers with a greater sense of awareness about the issues of posting information online and this may include feedback for your code.

    However again in regards to my comments the other day to you is that an analyst must understand what an application does under the hood. Its one thing to be able to run an application and produce an output but as an analyst if you don't understand the shortfalls of that tool or the affects it may have on a system then the analyst may miss something or may have already introduced issues into a legal case.

    An incident responder or forensic analyst should have tried and tested tools and the ability to ensure when they begin the investigation that they're tools are as they expect them to be i.e hash comparison.

    Well done on addressing this issue with the community.

    ReplyDelete
  16. Dude, I'm not an active user in this area but I can totally understand your reasons for doing so. We have testers here to check over our images before mass deployment and we don't tell them about any issues we already know about as we want to know they are able to do a decent job on testing. 9 times out of 10 they don't see the issues we found so their testing is almost worthless but we have to be seen to be using the resources we have at our disposal.

    We all make mistakes, and we learn from them. To everyone moaning I say, get over it. This obviously isn't malicious and hasn't everyone made an error of judgement at some point in their life. We all do. Live and Learn folks. Live and learn.

    ReplyDelete
  17. Harlan,

    The work and knowledge you put out there is immensely useful and I appreciate the work you do. I appreciate your perspective and your efforts to push this field forward.

    Craig Ball's comment is spot on, all tools have issues. As analysts we must make efforts to understand the subject matter and the tools we are using.

    I respect you, your apology (which is not needed IMHO, and just want you to know I appreciate the work you do.

    ReplyDelete
  18. I think of Harlan as one on the "rock stars" of computer forensics. His books, articles, and comments everywhere have been incredibly valuable. I really don't know how he has time to do it all.

    I believe this momentary mistake is not a big deal. We all probably wish it hadn't happened. But, the thought that it is going to cause any court problems is way overblown.

    I believe it drives home the importance of comparing results with different tools. Especially critical points of evidence. In fact if there is one "smoking gun" piece of evidence in my cases I try to go past all the tools and look at the data in a hex editor. I then interpret the data with my own training and knowledge. Then I know for 100% there are no mistakes.

    Usually, when double checking things; Harlan's books are one of my go-to resources!

    Thanks Harlan for all that you do for computer forensics!

    Charles Snipes
    http://www.datatriangle.com

    ReplyDelete
  19. Charles,

    Thanks.

    I believe it drives home the importance of comparing results with different tools.

    I'd like to ask your view on this, as I am trying to understand it a bit better.

    The script in question did not return false or misleading data...it's not as if you could have entered "2 + 2" and gotten 7 as a result. The interpreter prevented the script from running.

    As such, I'm a bit unclear what this has to do with tool testing and comparing results from multiple tools.

    Thanks.

    ReplyDelete
  20. This was nothing compared to multitude of errors in judgments, mistakes, or all out screw-ups we all make but are never called out on. Any person with the courage to own their mistakes rather than deny or blame deserves respect for doing so.

    For anonymous bashers, dudes....we all live in glass houses....careful with the rocks.

    I'd say Harlan's Marine Corps experience instilled Honor and Integrity, but like most Marines, they had it going into the Corps anyway.

    Nothing has changed in my view, only that if Harlan ever makes a mistake, ever, with anything, I believe he will admit it and try to correct it. Not everyone does that.

    ReplyDelete
  21. Anonymous12:48 PM

    Thank you for your work Harlan. Thank you also for responding to the hoard of arm-chair-quarter-back tool leeches in an honest and professional manner. I find that I see myself in that same descriptive reflection from time to time. From one tool leech to my peers.... give the man a fair handshake, acknowledge the explaination and apology, and try not to throw stones unless you have at least half similar weight in personal contributions to the DF community.

    ReplyDelete
  22. I underatand Harlan's frustrations, and it is one that has been voiced by him and others in the DFIR community for quite some time now. Probably could have have chosen better words, but he took full account for it, was a true gentleman, and corrected it forthwith (as he did with the broken code within a few days). So no harm done, as Craig Ball so eloquently stated.

    ReplyDelete
  23. Harlan, my only regret is the heat you appear to be taking for this so-called "incident." Good grief. Stay strong buddy.

    ReplyDelete
  24. Anonymous6:22 AM

    Harlan, Lord knows I have made mistakes in mt past, and that horrible feeling you get when you realize you have made one is really painful. We learn from it and move on...It is what is it, now we get over it.

    We all know your frustrations with not getting any feedback, or test data from the community when you openly ask for it, all the while still developing your tools. You still plow onward as a true professional.

    This is an eye opener for all of us to really wake up and pay attention to this fella and try to assist him, because ultimately, he will help you in the end. Be it with his books, this blog, the Yahoo group, what ever.

    Harlan, you are my mentor, and I have learned so much from your material. A mistake was made, now pull up those boot straps, keep your chin up and press on doing the great justice you do to this crazy line of work we are in.

    Regards, Brian.

    ReplyDelete
  25. Brian, Richard, et al.,

    Thanks for your words, they are greatly appreciated.

    This situation, how it started, and how it progressed from Saturday into Sunday has really given me pause. Taking a moment to reflect, it's probably time to reassess my involvement in the "community".

    A lot of things were said, in a semi-public manner, by people within the industry whom I hold in high regard. I do not know what was said...I have been told that it was "tsunami" and even received a call to my home on Sunday evening, where I was told that it was "very bad". I am truly and sincerely sorry for what happened, but I cannot change what is already out there. If two words that I type can have such a damaging effect, perhaps I shouldn't be so involved.

    Again, thanks.

    ReplyDelete
  26. Just to clarify, my comment on double checking results with different tools was just a general principal. I fully accept and understand that in this case the script wouldn't run at all. There were therefore no incorrect results produced.

    With any tool out there, I believe it is important to compare results. Especially results that are key to your case.

    Of all the tools I have used, RegRipper is and will continue to be one of my favorites.

    Charles Snipes

    ReplyDelete
  27. Aron Tripp5:17 PM

    Harlan,

    Keep up the good work. You've provided so much to this community, I hope that you continue your selfless work. I know I have benefited from your work and appreciate it.

    ReplyDelete
  28. Cedric Pernet1:44 AM

    Well I don't see what you've done as something malicious or evil, so... I can understand your point. You've done no hurt, and well, every forensics investigator knows that he must take time to check any tool he gets... I guess there's quite a number of DFIR dudes who tried, saw it didn't work, and after some minutes just decided to move to something else, and did not report the bug... Keep up the good work, Harlan, we all appreciate your work and everything you bring to the DFIR community.

    ReplyDelete
  29. As an avid follower of your books, blog, and RegRipper (and other related software) for the past several years, I can understand your potential frustration of "testing the waters" to get opinions. As in the past you post questions and get very few responses and/or feedback. As with any software (even forensic software) .. the examiner must verify before coming to a conclusion.

    ReplyDelete