Slashdot Mirror

← Back to Stories (view on slashdot.org)

P2P Leaks Surprises

Posted by CmdrTaco on from the be-careful-people dept.

kilian.cavalotti writes "A new Web log is posting what it purports are pictures, documents and letters from U.S. soldiers and military bases in Iraq and elsewhere--all of which the site's operator claims to have downloaded from peer-to-peer networks such as Gnutella. The "See What You Share" site has been online for a week and has published photos ranging from a crashed military jet to a screenshot of a spreadsheet file that appears to include names, addresses and telephone numbers of marines. The site's operator, a 30-year-old named Rick Wallace, wrote in a blog posting that he is trying to help the military understand how serious a security risk unmonitored peer-to-peer file sharing can be."

44 of 389 comments (clear)

  1. I think is was said somewhere else... by agraupe · · Score: 4, Insightful

    If you choose to expose security weaknesses, don't take advantage of them. Tell those who can fix it/do something about it, and no one else. What this person is doing will just give other people ideas.

    1. Re:I think is was said somewhere else... by Mysticalfruit · · Score: 2, Insightful

      What he could do is find their fax numbers and start faxing them copies of the information... That should get their attention...

      --
      Yes Francis, the world has gone crazy.
    2. Re:I think is was said somewhere else... by BillyBlaze · · Score: 2, Insightful
      When in reality we should be looking at P2P authors.

      Absolutely not. P2P authors, like any other programmers, are making tools. The person who should be held responsible is whichever idiot shared the files in the first place - even if accidental, why on earth was he running a P2P server on a government machine with classified data?

  2. my email to Glen by rpdillon · · Score: 5, Insightful

    Glen Breakwater-

    As a former member of our armed forces, and an avid technophile as well as outspoken supporter of freedom in all its forms, I have a question:

    What exactly are you advocating?

    It sounds an awful lot like you're complaining, but you have absolutely no idea how to solve the problem you've raised. This is not constructive...it is merely whining. Do you want to ban P2P services? Do you want to attempt to make yet more copy protection systems? Or are you doing what Michael Moore does and complaining about a situation while having no solution whatsoever?

    As for my view: it is the price of freedom. If you don't want Secret/NOFORN documents distributed on the web, then don't hand them out to people! Make sure the only machines that have them are on SIPRNET and take out the damn floppy and zip disk drives.

    My position: people are stupid, and until we decide to take real measures to protect secret data (i.e. not providing removable media for secret computers), we'll get burned. A nation at war? Yes, I went to Iraq three times in the past three years. But don't blame the soldiers, or the P2P programs. Blame the idiots that make the information available and the idiots who build the computers and set IT policy for the DoD.

    Peer to peer filesharing is NOT a security risk. The lack of a comprehensive security program within our military is a security risk.

    Regards,

    1. Re:my email to Glen by PCM2 · · Score: 5, Insightful
      It sounds an awful lot like you're complaining, but you have absolutely no idea how to solve the problem you've raised. This is not constructive...it is merely whining.
      Um ... as a taxpaying citizen, is it really too much to ask for the military to take care of its own business, when ostensibly the security of our entire nation is at stake? Since when do you or I get to vote on how the military handles its own housekeeping? It's not up to you or I (or Glen) to establish military policy. All we can do is ask that they please address the issue. I think he's done that in a pretty alarmist way -- but he obviously feels like that's what it's going to take.

      "Ban" P2P services on military computers? By all means, if that's what it takes. Establish penalties for soldiers who fail to observe security protocols? Abso-effin-lutely. This ain't a civil liberties issue, people, and we're not talking about dismantling entire technological innovations here or anything -- this is the military. I wholeheartedly agree that, before Congress comes along and pushes through any further legislation blaming the American people for failures of security policy (i.e. the Patriot Act), the people who are really and literally on the front lines of the information security issue need to get their shit together in a big way.

      --
      Breakfast served all day!
    2. Re:my email to Glen by criquet · · Score: 5, Insightful

      Simply because someone raises an issue that concerns them without having a (stated) solution does not constitute complaining nor whining.

      Though I agree with you point that p2p is not the problem.

    3. Re:my email to Glen by Monkeyman334 · · Score: 2, Insightful

      The problem is the lack of accountability. The people sharing these files are already breaking the UCMJ, specifically failure to obey, by installing unauthorized software. If those pictures are from a military computer, then they most likely downloaded from a personal camera that shouldn't have been attached to the network as well.

      2nd, these aren't classified documents or pictures. Should it be protected? Absolutely, but it's not classified. The problem isn't floppy drives specifically, there are procedures for floppies in class machines that stops data from getting back into unclass. If you work with class computers+floppies then you know the procedure.

      Another thing, the picture of the girl is a common one distributed on P2P networks, and has been for maybe a year.

      Where I'm going with this is... While I agree that the military needs more accountability in computers, the web site author is overstating the problem in an attempt to get some shock value out of it. He's doing that so people might be pressured/scared into securing their networks better.

    4. Re:my email to Glen by seafortn · · Score: 3, Insightful
      I'll add that in my years of service as an officer in the Army, including (too much) time deployed and serving in various headquarters (like places with dedicated communications and security officers), I never heard of whatever the heck it is you're talking about - it's like me saying you were never in the military because you've never heard of using SOSR for breaching obstacles, or don't know what a MOPMS is, don't know what an FLS, SMJP, or DZSO are...

      As we would say in the Army, pull your *!*&(^%$ head out, and realize that most people in the military are much more concerned with doing their jobs, not yours, and could really care less about some obscure network security initiative.

    5. Re:my email to Glen by Orne · · Score: 2, Insightful

      When do we get to vote on how the military handles housekeeping?

      How about every two or six years? Remember, the Congress approves how the military spends its money, and they define the laws by which the military must operate.

      Bring this issue up to your representative's office, and let them know that we don't approve the lax I.T. policies. Or how about write to someone on the Armed Services Oversight Committee, inform them that things like this are taking place, that national security is at risk. If they can shut down Los Alamos over floppy disks, then something needs to change here.

    6. Re:my email to Glen by Anonymous Coward · · Score: 1, Insightful

      I think that p2p inside a military network IS a security risk, and so does this guy. It's obviously a violation of whatever security the military already has in place, simple. P2P from military networks SHOULD be banned.

      If a soldier should want to do p2p, they aught to do it from their own computer on their own connection.

    7. Re:my email to Glen by PCM2 · · Score: 2, Insightful

      But the military isn't a democracy, just as our entire country isn't a true democracy in the strictest sense. It's a representative democracy. You do get some say in what the military does -- you make your input known by voting for its (civilian) commander-in-chief. (That's the U.S. president, for you foreigners.) You don't, on the other hand, get any direct say how it gets to run its security affairs, any more than you get to decide whom it puts in charge of what or what kind of tires it buys to put on Jeeps.

      --
      Breakfast served all day!
    8. Re:my email to Glen by PCM2 · · Score: 3, Insightful

      Actually, let me amend that -- the power to establish military laws and see that they are enforced rests with Congress, not just the president. So you get to influence that by voting for your representatives in Congress. Nationally, there are almost 500 of these. A Web site like this one stands a good chance of reaching the attention of all of them, however, so in a way it's a sneaky way to get around the way our representative democracy limits the individual's influence over the process.

      --
      Breakfast served all day!
    9. Re:my email to Glen by composer777 · · Score: 4, Insightful

      My take on it is that all this talk of security is pretty ridiculous. You're average American belongs to the safest and least threatened group in the entire world. If we cared that much about security we would realize that the first step in creating real security is to provide it to those who need it the most, not those who need it the least. We could start at home, by providing security for those who are most threatened by violence on a daily basis, that is, the poor and the minorities. Ironcially, by focusing on increasing their security, we would in fact also be making the world safer for the most secure group, rich whites. Increasing security for the disadvantaged could involve a multi pronged approach:
      1. Create a program of effective affirmative action that would truly provide equal opportunity, as a start, providing such basic things as shelter, healthcare, etc.
      2. Eliminate racist drug laws that needlessly disciminate again the poor.
      3. Eliminate racist police offices that are one of the biggest threats to the urban population.

      Outside our borders, increasing security would involve a similar approach.
      1. Work to raise the standard of living rather than handing over resources to corporations that are only interested in plundering.
      2. Stop shooting and torturing people, which is one of the biggest threats to security of innocent Iraqi people.
      3. Stop giving Israel carte blanch support to murder, round defenseless Palestineans up into concentration camps and bulldoze their homes.
      4. Stop supporting corrupt, undemocratic regimes such as Saudi Arabia, Saddam Hussein's Iraq in the 80's, etc.

      But, we won't take these steps, our government doesn't take these steps because they realize that security isn't that big of an issue. In fact, the War in Iraq has the effect of increasing terrorism and decreasing security, not just for Americans, but also for the people of Iraq. On the other hand, the people of America won't take these steps because we're a bunch of racist cowards that think that we alone have the right to feel safe in our homes, but that black guy in the ghetto, well, he doesn't, and the Iraqi's in Abu Gharaib, well, they should have known better. It never occurs to us that increasing security of the poor might be the quickest way to create a safe and secure world for everyone. Nor does it occur to us that it is impossible to have perfect security. For some reason we believe that security is our birthright, and ours alone. I can't think of another group on this planet that has a greater expectation of perfect security than middle class Americans. It's a nice goal, but if we are truly interested in real freedom and equality, then we will realize that security can't be just a thing reserved for priveledged American whites.

    10. Re:my email to Glen by nlindstrom · · Score: 3, Insightful
      I would fully support the sacking* of all military personal, starting with the Commander-in-Chief and working downward until only ex-PFC Wintergreen is left.

      * For the Merkins who read this post, sacking is a British term which equates to the American term fire.

    11. Re:my email to Glen by arkhan_jg · · Score: 2, Insightful

      My take on it is that all this talk of security is pretty ridiculous. You're average American belongs to the safest and least threatened group in the entire world.

      Uhh, what?

      I recognise your solutions as valid ones, but you also need to recognise how urgently they're required because the average security of your citizens frankly, sucks (especially those in the cities)

      http://www.mercerhr.com/pressrelease/details.jht ml ?idContent=1084835

      The highest ranking spot for a north american city last year was 40th, graded on personal security. Canadian cities were ranked 25th, and western europe took the highest spots. Unsurprisingly, the lowest spots are wartorn african cities...

      --
      Remember kids, it's all fun and games until someone commits wholesale galactic genocide.
  3. The Emphasis Should be on Security Issues Not P2P by The+Importance+of · · Score: 5, Insightful

    The problem is that the website author emphasizes that "Technology often outruns legislation. So is the case with Peer 2 Peer networks." He seems to assume that P2P should be legislated against. However, this is a security issue, not an issue specific to P2P systems. Education and other controls should be used to minimize this problem. The military would never let Joe Soldier run a rogue server, why would they let them run any old P2P app on a system with classified information? See, P2P Problem or Security Issue?.

  4. Oh no... by ALeavitt · · Score: 2, Insightful

    This is just going to lead to more cracking down on P2P file sharing, even the legitamate kind. Really, accidentally sharing files only comes from ignorance, obliviousness, or some combination of the two. If you don't know what you're sharing, you shouldn't be using P2P. It's that simple. I guess I just thought it was common sense to keep track of what people have access to on one's computer. It seems that a lot of people lack common sense.

    Oh, and barring any posts while I'm writing this, FP!

    --
    This sig has been stolen. Return it to its original user for a reward.
  5. Well we had some freedoms by SteroidMan · · Score: 3, Insightful

    Yikes! Is he trying to get what little liberties we have left removed? And we thought the RIAA/MPAA were the biggest threat to P2P networks. They have nothing on a peeved military!

  6. He's asking for it by Dukeofshadows · · Score: 2, Insightful

    Would anyone else be surprised if this site is shut down or sternly repremanded (perhaps quite publicly) within the week?

    His intentions are good, but we all know about that cliche.

    --
    As long as there is a Second Amendment, there will always be a First Amendment.
  7. Absurd by cephyn · · Score: 5, Insightful

    First off, if classified info got to a P2P network, then there was a security breach BEFORE it got there. The p2p network is not the problem.

    Second, if the info isn't classified, why shouldn't it be on p2p? If a jet crashed and there's a picture, and its not classified info, then there's nothing wrong with it being public information, because it IS public information.

    --
    Moo.
    1. Re:Absurd by FerretFrottage · · Score: 5, Insightful
      If a jet crashed and there's a picture, and its not classified info, then there's nothing wrong with it being public information, because it IS public information.

      Not with the current administration....remember the casket picture incident? They [the pictures] were not classified, but you better not show them to the people.

      --
      "Look Lois, the two symbols of the Republican Party: an elephant, and a fat white guy who is threatened by change."
  8. The P2P Disclosures by enforcer999 · · Score: 3, Insightful

    I believe that the problem is not P2P vulnerabilities but the users knowledge of the software and how to secure their own files. What it boils down to consumer education.

  9. This is nothing new. by inotocracy · · Score: 0, Insightful

    ..I remember doing searches on Gnutella networks for camera picture prefixes (dcim*, pc101*, dcf*) and getting all kinds of personal pictures back-- if the person allows the program to index their hard drive, they are morons.

  10. Improper analogy by Anonymous Coward · · Score: 1, Insightful

    Sharing your files on a P2P network is saying "Here are my files that I have chosen to share with you, please download as you wish".

    Your analogy is not correct.

  11. Re:olde news... by trentblase · · Score: 3, Insightful

    If you have a system installed whereby I ring your doorbell and documents get thrown out the mail slot, then you deserve to lose them.

  12. Not the same thing. by DAldredge · · Score: 4, Insightful

    Sharing files on a p2p network is just that, sharing files. It's not like forgeting to lock your door, it's like having a flashing neon sign that same 'come in' and then getting upset when people do.

  13. In the real world it's more difficult... by Stevyn · · Score: 2, Insightful

    Sometimes telling people of the problem isn't enough for them to react to stop it. I don't know if this is the best way to make those in power aware this situation, but I'm sure it will be effective. The pictures I saw didn't look too bad, so quick action to stop this from happening in the future might be better than not making it public where it wouldn't get anyone's attention to stop it.

  14. Re:Give that man a cigar by elmegil · · Score: 2, Insightful

    Sounds like the Senator's office knew the right people to get the message through to the people who were sharing the files incorrectly. How is this frightening? Many people appeal to their Senators over all kinds of issues where you really need to get through to someone in government who's hell bent on ignoring you.

    --
    7 November 2006: The day Americans realized corruption and incompetence weren't addressing 11 September 2001
  15. Well by XeRXeS-TCN · · Score: 3, Insightful

    You can't really argue that this is likely to give people ideas and hurt the country, because while it's not a very obvious course, it's highly unlikely that he's the first person who's ever thought of looking for sensitive documents on p2p networks. To say that it's "helping the bad guys" is being naive and underestimating the intelligence gathering skills of the 'enemy'.

    To quote the most famous example of terrorism against the United States, if a terrorist organisation is coordinated enough to slip various teams with weapons onto several seperate aircraft, and crash those planes into US buildings, I wouldn't say searching internet resources (be they web or p2p) for sensitive information that has been leaked or poorly secured is beyond them, by any stretch of the imagination.

    It's also similar to the "Deceptive Duo", who were Americans who hacked military websites and defaced them with screenshots of personnel databases, under the flag of 'patriotism'; in an attempt to make the military realise the importance of security within their systems. The difference being of course that they intentionally penetrated military networks to achieve this, and used uncensored screenshots of databases, revealing private information on government personnel. As such they were arrested for it.

    This site hasn't gone so far as to display any critical security data, or illegally access any systems. I have seen and heard of many examples where a hacker has warned a sysadmin on several occasions about the dangers of vulnerabilities in a network, only to be ignored until finally the site ended up being defaced, so I can understand his impatience to some extent. The next person to run off and harvest this information might not be so eager to censor what they consider to be personal data.

    There might be an influx of curious people running off to p2p networks to see what they can turn up, but I really don't see this as too much of a concern in the grand scheme of things; what security risk does a 14 year old kid who wants to look cool pose? It's not information that anyone particularly wants public, but in the hands of the average private citizen, it's not drastically critical. A US citizen could probably get a fair few details from public records, or socially engineer contact details out of people. But any "terrorist" who would have been intelligence gathering has more than likely done this sort of activity already.

    It's not the easiest problem to rectify though, without some sort of drastic overhaul in the system, and some method of securing or blocking p2p systems across all military computers, which would be a rather hard thing to enforce, and would annoy many soldiers who are used to using these systems. But of course, national security has to come first. If nothing else, an explanation of the importance of not sharing entire drives would be a start.

  16. Re:I got bored just after Kazaa came out. by Lord+Kano · · Score: 2, Insightful

    It was a script kiddie act but I amused myself with access to some of the websites I found, lol.

    Well, a script kiddie probably wouldn't do this unless there was a tool for it. If you came up with the idea on your own, it was a righteous hack.

    LK

    --
    "Hi. This is my friend, Jack Shit, and you don't know him." - Lord Kano
  17. Re:Nothing to see here, move along by Mz6 · · Score: 4, Insightful
    As I've stated previously on here...

    I'm sorry to say but it's NOT public knowledge to list what classification level service members have. This guy posted a document with several service member's names AND classification levels. Not only this it lists the base they are stationed at and their names and ranks. He was nice enough to blur out their SSN though...

    --
    Hmmm.
  18. Re:Okay by hikerhat · · Score: 2, Insightful

    Ugh. Not hot. Dig a little further and there are much hotter chicks.

  19. Re:I got bored just after Kazaa came out. by Com2Kid · · Score: 4, Insightful

    I prefer looking up people's resume and sending them a message,

    "So, how's the weather in [insert locale here] "

    --
    Need help treating your acne? Come here!
  20. Re:Start running, Rick by Onikuma · · Score: 2, Insightful

    Seriously. The FBI never takes too kindly to civilians 'helping out'.
    He can wave goodbye to all his computer equipment. And in about a week's time, he'll be complaining, and starting up a paypal account to pay his legal fees. But really, how can you not see this coming? He's just asking for the FBI to pay him a visit.

  21. What's really funny is... by raytracer · · Score: 5, Insightful

    What I find really funny is just what a threat a paranoid public is to liberty and freedom of all Americans.

    I'm frankly somewhat comforted by the fact that we have pictures coming out of Iraq that have not been filtered through the military censors and government spin doctors. I think it's good that we find out about Abu Ghraib. There is a fine line between keeping information secret to promote security and keeping information secret to deny culpability.

    You can't put the genie back in the bottle: people want digital cameras, internets and camera phones. People will take pictures of things and share them with others. For the most part, I think more is gained than more is lost. The worst thing that can happen is for people to lose sight of what their government and military are doing. Are some images disturbing? Yes. Do they force us to uncomfortable conclusions about our government? Probably. But what is the alternative: to go on as if such things simply didn't happen? I hope we are braver than that.

    --

    There is much pleasure to be gained in useless knowledge.

  22. Knowledge is Power - Power to the People! by Doc+Ruby · · Score: 3, Insightful

    These leaks are exactly why the "old media", and the politics (Republican, Democrat, Libertarian, you name it) they protect, fear P2P technology so much. Their power, and the profiteering it perpetuates, depends on their central control of the "official truth". One of the mechanisms that accelerated the demise of the Soviet Union was the spread of fax machines in Eastern Europe, which made Pravda ("Truth") too complicated to manage in the minds of the people it oppressed. Now the more nuanced American media control is threatened by more advanced technology, and regime change is in the air.

    P2P has some disadvantages, like level of confidence in the content. But that can be mitigated by evolution of the same technology, with corroboration amid complex webs of trust. But the leaks of actual recordings of repellant acts make it much harder for their actors to pretend they're anything but trouble. Cameraphones for peace!

    --

    --
    make install -not war

  23. Who's paying ? by ultranova · · Score: 1, Insightful

    So, who do you think is paying for this person ? The RIAA or the MPAA ?

    "We must outlaw p2p because it endangers our military secrets !"

    --

    Forget magic. Any technology distinguishable from divine power is insufficiently advanced.

  24. Re:I'm sick of the wannebe oppressed by Dhalka226 · · Score: 2, Insightful

    How about the right to privacy, now that the FBI can seize your financial records without a subpoena and without having to prove just cause?

  25. Try searching for "resume" by Anonymous Coward · · Score: 1, Insightful

    or better yet, social security!

  26. Re:I got bored just after Kazaa came out. by Tony-A · · Score: 2, Insightful

    The problem with such as Echelon and Carnivore is that they attract people who find dumb people fascinating.

  27. A vehicle for change by stimpleton · · Score: 2, Insightful

    Lets say I was in an industry where I wanted to limit competitors or strangle wider innovation for my companies gain:

    1) Identify the fear du jour.
    2) Align my competitors/competition with that fear.

    Example:
    1) Pesky p2p filesharers and their RIAA buggering ways.
    2) Fix it so wider public perception is that "Music Downloads compromise security". Proof see: look what these people dabble in.

    Problem solved.

    --

    In post Patriot Act America, the library books scan you.
  28. Look at his profile picture by obi-1-kenobi · · Score: 2, Insightful

    That my friends is someone who is alot older than 30.

    --
    "You win again Gravity!" -Futurama (Zapp)
  29. Logic flaw by Maljin+Jolt · · Score: 2, Insightful

    he is trying to help the military understand

    I am afraid "to help the military understand" is an oxymoron no matter which country you live in.

    --
    There you are, staring at me again.
  30. Military knows P2P is a weakness by Amata · · Score: 3, Insightful

    In my corner of the military, at least. On a regular basis, all systems connected to the WAN are scanned - for viruses, for messenger programs, for P2P programs, and anything else that shouldn't be on those computers. Finding any of those programs can get a computer kicked off the network, and anyone found actually using those programs can get their right to use government systems revoked. I've already had it happen to one person who was looking at pr0n on a government system.

    Now, were these files coming from government systems, or from people who were taking their work home with them? Its a lot harder to control what people do at home. A lot of things I deal with are SBU - sensitive but unclassified. Meaning that the media the information is on (CPU, floppy disk, file cabinet...) doesn't have to have a little sticker stating its classification, but its still information that needs to be protected, such as listings of SSNs.

    The government has already made Norton and MacAffee's antivirus programs available for home use to qualifying personnel for free, but just how much can they do about what people do at home?

    Also, if a person were using unauthorized software on a government system, the correct action to take would be to contact that person's chain of command. First it would help if you knew who that person was, or at least what unit they were in, but that's just that.