P2P Leaks Surprises
kilian.cavalotti writes "A new Web log is posting what it purports are pictures, documents and letters from U.S. soldiers and military bases in Iraq and elsewhere--all of which the site's operator claims to have downloaded from peer-to-peer networks such as Gnutella.
The "See What You Share" site has been online for a week and has published photos ranging from a crashed military jet to a screenshot of a spreadsheet file that appears to include names, addresses and telephone numbers of marines. The site's operator, a 30-year-old named Rick Wallace, wrote in a blog posting that he is trying to help the military understand how serious a security risk unmonitored peer-to-peer file sharing can be."
If you choose to expose security weaknesses, don't take advantage of them. Tell those who can fix it/do something about it, and no one else. What this person is doing will just give other people ideas.
Glen Breakwater-
As a former member of our armed forces, and an avid technophile as well as outspoken supporter of freedom in all its forms, I have a question:
What exactly are you advocating?
It sounds an awful lot like you're complaining, but you have absolutely no idea how to solve the problem you've raised. This is not constructive...it is merely whining. Do you want to ban P2P services? Do you want to attempt to make yet more copy protection systems? Or are you doing what Michael Moore does and complaining about a situation while having no solution whatsoever?
As for my view: it is the price of freedom. If you don't want Secret/NOFORN documents distributed on the web, then don't hand them out to people! Make sure the only machines that have them are on SIPRNET and take out the damn floppy and zip disk drives.
My position: people are stupid, and until we decide to take real measures to protect secret data (i.e. not providing removable media for secret computers), we'll get burned. A nation at war? Yes, I went to Iraq three times in the past three years. But don't blame the soldiers, or the P2P programs. Blame the idiots that make the information available and the idiots who build the computers and set IT policy for the DoD.
Peer to peer filesharing is NOT a security risk. The lack of a comprehensive security program within our military is a security risk.
Regards,
The problem is that the website author emphasizes that "Technology often outruns legislation. So is the case with Peer 2 Peer networks." He seems to assume that P2P should be legislated against. However, this is a security issue, not an issue specific to P2P systems. Education and other controls should be used to minimize this problem. The military would never let Joe Soldier run a rogue server, why would they let them run any old P2P app on a system with classified information? See, P2P Problem or Security Issue?.
Yikes! Is he trying to get what little liberties we have left removed? And we thought the RIAA/MPAA were the biggest threat to P2P networks. They have nothing on a peeved military!
First off, if classified info got to a P2P network, then there was a security breach BEFORE it got there. The p2p network is not the problem.
Second, if the info isn't classified, why shouldn't it be on p2p? If a jet crashed and there's a picture, and its not classified info, then there's nothing wrong with it being public information, because it IS public information.
Moo.
I believe that the problem is not P2P vulnerabilities but the users knowledge of the software and how to secure their own files. What it boils down to consumer education.
If you have a system installed whereby I ring your doorbell and documents get thrown out the mail slot, then you deserve to lose them.
Sharing files on a p2p network is just that, sharing files. It's not like forgeting to lock your door, it's like having a flashing neon sign that same 'come in' and then getting upset when people do.
You can't really argue that this is likely to give people ideas and hurt the country, because while it's not a very obvious course, it's highly unlikely that he's the first person who's ever thought of looking for sensitive documents on p2p networks. To say that it's "helping the bad guys" is being naive and underestimating the intelligence gathering skills of the 'enemy'.
To quote the most famous example of terrorism against the United States, if a terrorist organisation is coordinated enough to slip various teams with weapons onto several seperate aircraft, and crash those planes into US buildings, I wouldn't say searching internet resources (be they web or p2p) for sensitive information that has been leaked or poorly secured is beyond them, by any stretch of the imagination.
It's also similar to the "Deceptive Duo", who were Americans who hacked military websites and defaced them with screenshots of personnel databases, under the flag of 'patriotism'; in an attempt to make the military realise the importance of security within their systems. The difference being of course that they intentionally penetrated military networks to achieve this, and used uncensored screenshots of databases, revealing private information on government personnel. As such they were arrested for it.
This site hasn't gone so far as to display any critical security data, or illegally access any systems. I have seen and heard of many examples where a hacker has warned a sysadmin on several occasions about the dangers of vulnerabilities in a network, only to be ignored until finally the site ended up being defaced, so I can understand his impatience to some extent. The next person to run off and harvest this information might not be so eager to censor what they consider to be personal data.
There might be an influx of curious people running off to p2p networks to see what they can turn up, but I really don't see this as too much of a concern in the grand scheme of things; what security risk does a 14 year old kid who wants to look cool pose? It's not information that anyone particularly wants public, but in the hands of the average private citizen, it's not drastically critical. A US citizen could probably get a fair few details from public records, or socially engineer contact details out of people. But any "terrorist" who would have been intelligence gathering has more than likely done this sort of activity already.
It's not the easiest problem to rectify though, without some sort of drastic overhaul in the system, and some method of securing or blocking p2p systems across all military computers, which would be a rather hard thing to enforce, and would annoy many soldiers who are used to using these systems. But of course, national security has to come first. If nothing else, an explanation of the importance of not sharing entire drives would be a start.
I'm sorry to say but it's NOT public knowledge to list what classification level service members have. This guy posted a document with several service member's names AND classification levels. Not only this it lists the base they are stationed at and their names and ranks. He was nice enough to blur out their SSN though...
Hmmm.
I prefer looking up people's resume and sending them a message,
"So, how's the weather in [insert locale here] "
Need help treating your acne? Come here!
What I find really funny is just what a threat a paranoid public is to liberty and freedom of all Americans.
I'm frankly somewhat comforted by the fact that we have pictures coming out of Iraq that have not been filtered through the military censors and government spin doctors. I think it's good that we find out about Abu Ghraib. There is a fine line between keeping information secret to promote security and keeping information secret to deny culpability.
You can't put the genie back in the bottle: people want digital cameras, internets and camera phones. People will take pictures of things and share them with others. For the most part, I think more is gained than more is lost. The worst thing that can happen is for people to lose sight of what their government and military are doing. Are some images disturbing? Yes. Do they force us to uncomfortable conclusions about our government? Probably. But what is the alternative: to go on as if such things simply didn't happen? I hope we are braver than that.
There is much pleasure to be gained in useless knowledge.
These leaks are exactly why the "old media", and the politics (Republican, Democrat, Libertarian, you name it) they protect, fear P2P technology so much. Their power, and the profiteering it perpetuates, depends on their central control of the "official truth". One of the mechanisms that accelerated the demise of the Soviet Union was the spread of fax machines in Eastern Europe, which made Pravda ("Truth") too complicated to manage in the minds of the people it oppressed. Now the more nuanced American media control is threatened by more advanced technology, and regime change is in the air.
P2P has some disadvantages, like level of confidence in the content. But that can be mitigated by evolution of the same technology, with corroboration amid complex webs of trust. But the leaks of actual recordings of repellant acts make it much harder for their actors to pretend they're anything but trouble. Cameraphones for peace!
--
make install -not war
In my corner of the military, at least. On a regular basis, all systems connected to the WAN are scanned - for viruses, for messenger programs, for P2P programs, and anything else that shouldn't be on those computers. Finding any of those programs can get a computer kicked off the network, and anyone found actually using those programs can get their right to use government systems revoked. I've already had it happen to one person who was looking at pr0n on a government system.
Now, were these files coming from government systems, or from people who were taking their work home with them? Its a lot harder to control what people do at home. A lot of things I deal with are SBU - sensitive but unclassified. Meaning that the media the information is on (CPU, floppy disk, file cabinet...) doesn't have to have a little sticker stating its classification, but its still information that needs to be protected, such as listings of SSNs.
The government has already made Norton and MacAffee's antivirus programs available for home use to qualifying personnel for free, but just how much can they do about what people do at home?
Also, if a person were using unauthorized software on a government system, the correct action to take would be to contact that person's chain of command. First it would help if you knew who that person was, or at least what unit they were in, but that's just that.