P2P Leaks Surprises

kilian.cavalotti writes "A new Web log is posting what it purports are pictures, documents and letters from U.S. soldiers and military bases in Iraq and elsewhere--all of which the site's operator claims to have downloaded from peer-to-peer networks such as Gnutella. The "See What You Share" site has been online for a week and has published photos ranging from a crashed military jet to a screenshot of a spreadsheet file that appears to include names, addresses and telephone numbers of marines. The site's operator, a 30-year-old named Rick Wallace, wrote in a blog posting that he is trying to help the military understand how serious a security risk unmonitored peer-to-peer file sharing can be."

I always thought...

[digitalsushi]

I always thought military desks had two machines on them. A public internet and a military internet, and at no point were they ever interconnected. Is there any shade of truth of that *at all* in any branch of our military? It certainly sounds like any casual remark anyone might make at the watercooler, but it'd be interesting to hear from someone who's been there.

Why This Site Exists

[diagnosis]

Taken from the web site:

Why This Site Exists
Technology often outruns legislation. So is the case with Peer 2 Peer networks. Many people obtain P2P software so they can download music or movies. A large number of those people do not have any idea what they are sharing.

A few months ago, I downloaded some military briefings from the Gnutella Network. The briefings were zipped and the file contained 21 documents with classifications ranging from For Official Use Only to Secret/NO FORN. Shocked at my discovery, I notified an agency on a nearby military installation. When nothing happened, I notified another agency. I continued this course because no action was taken and for a nation at war, I was concerned for the safety of our soldiers.

It may appear that I am picking on certain institutions. This is true. I want everyone to know that we can be our own worst enemies when we don't understand the full power of our technology. I want every military and government agency to see first hand what is being shared with anyone who has a computer. Since a picture is worth a thousand words, I can save myself some talking.

----------------------
Freedom or Evil: Freevil.net
G. W. Bush says, "You decide!"

Place your bets now!

[koganuts]

It'll be interesting to see how long it'll take before the operator of that weblog is arrested, even though he's trying to prove a point.

This can't be too good...

[Eberlin]

This is different from full-disclosure of software vulnerabilities because this is more a human error than anything else. It's not like there's software to be patched...it's a matter of educating the user as to what they're doing wrong.

The only real problem here is the public disclosure of personal information -- if I were one of the names shown, I'd probably be upset. (of course if this is going on in a widespread fashion, I'd be upset anyway) In the end we can only hope that the "shock value" of presenting these to the public will create enough awareness to minimize the problem.

Otherwise we can all watch as the spinsters pull another argument for their "p2p is evil" campaign.

Office LAN

[jekewa]

I once consulted at a place where someone thought to bring some questionable P2P software in to "bring his music software to the office." He ran the same software on his home PC where he did have a collection of ripped CDs, as well as previously P2P downloaded music and videos.

He was not cautious about his setup, and I very quickly showed him how I could basically browse his entire computer hard drive, and (granted with a little hands-on) very quicky map every network resource his system had access to. I suggested that he remove that lest some dishonest version of the software do the additional mapping unbeknownst to him.

P2P is a potential blessing and a damned curse.

Surprising

[Quila]

In the extremely large military network I worked on, all P2P ports were blocked (the rule was deny all, allow by exception) and the IDS was tweaked to catch anyone who fiddled with the ports to get around that. The security guys were not nice to people they caught.

I guess some areas of the military just aren't set up that well.

I got bored just after Kazaa came out.

[JPriest]

And I wanted to see howe many win98 users just shared the HDD. so I searched kazaa for windows 98 password files (.plw) and sure enough. It was a script kiddie act but I amused myself with access to some of the websites I found, lol.

Re:I think is was said somewhere else...

[Zareste]

The problem is that somebody published the pictures on the network. Did anybody notice that, or would we rather just follow Rick's solution and have the people from our oh-so-trustworthy 'that blunder is confidential' military tell us what we can publish and see on the internet? Oh, sounds great. "Hey Jim, this picture has 'no war' written on it. You know what to do..."

I guess we COULD track down whoever leaked the info, but why do that when you can go after anyone on or in the remote proximity of any random network? Perfect plan. A big 'duuuhhhr' goes out to Rick who lacks the capacity to get this through his head.

Give that man a cigar

[Atario]

You hit the nail on the head. The same principles apply to soldiers gabbing about classified stuff F2F, never mind P2P.

Oh, and I submitted this with a funnier headli...er, wait, this isn't Fark, is it.

Well, I did submit it, with a link to a ZDNet article about it, in which they give a little more detail about what happened with the blogger's attempts to get the authorities involved:

In an interview from Germany, where he lives with his wife, a U.S. Army officer, Wallace said he had contacted local military intelligence about the issue. They forwarded the information to a higher level, but there was little further response until he contacted the office of Sen. Conrad Burns, who represents Wallace's home state of Montana, Wallace said.
...
Shortly after Wallace got in contact with Burns' office, the file of classified documents disappeared from Gnutella.

Ummmm...what??? How powerful is this senator, that he can pluck a given file off a decentralized P2P network? How did he do that? Am I going to get an insistent knock on my door for even questioning this?

Tell my wife I love her! AIEEEE!!!

Re:Give that man a cigar

[Dun+Malg]

Shortly after Wallace got in contact with Burns' office, the file of classified documents disappeared from Gnutella.

Ummmm...what??? How powerful is this senator, that he can pluck a given file off a decentralized P2P network? How did he do that?

1) Senator calls DOD aide in and says "find where this is being leaked" (hands him copy of secret document
2) DOD aide makes call to appropriate Army commander (based on the unit(s) referenced in secret doc)
3) Army commander calls in his IT and BuddyFucker(couinter-intel) officers and shouts at them for twenty minutes
4) the unit's computers are examined until P2P host(s) is(are) found and shut down (probably by examining router traffic)

This sequence would probably unfold in under 3 hours.

Re:my email to Glen

[seafortn]

As another former member of the armed forces, with plenty of trips to plenty of places, I say hell yes - ban p2p on official computers - in fact, p2p software is already prohibited by most unit signal officers - these people are probably blatantly disregarding rules designed to protect them - I say go one further, track this stuff back to the originating computers, and get these numskulls Article 15s for not complying with published regulations...

You might argue that p2p could be useful, but obviously the people using these computers can't be trusted with it, so don't screw around - take it away - anything that really needs to be shared can go over email, networked file sharing, or (gasp) - walking the damn things over on a disk!
I don't want some (terrorist, criminal, anybody else who would take advantage of my absence) to have my wife's home address because some idiot wanted to download cool files from the computer that the alert roster was stored on...

Re:I think is was said somewhere else...

[jemenake]

If you choose to expose security weaknesses, don't take advantage of them. Tell those who can fix it/do something about it, and no one else. What this person is doing will just give other people ideas.

Unfortunately, most people don't take it seriously unless it really happens to them or if they see it happen to someone else like them.

A great example of this happened at my university about 10 years ago. The campus ran a cluster of unix machines for students to get email, read usenet, compile C programs, run nethack, etc.

The nerds amongst us were fairly concerned that the admins: 1) didn't keep the passwords in a shadow file, and 2) didn't run Crack on the password file to find weak passwords. I guess the reasons were that: 1) the OS (I think it was AIX at the time) didn't support /etc/shadow, and 2) the admins shuddered at the thought of freezing the accounts of and having to talk scores of users through the process of changing their passwords.

So... one of the nerds kinda... "settled" the issue for them. He ran Crack on the entire password table and POSTED all of the cracked login/password combos (a couple thousand out of something like 10,000 users, I think) to the local campus newsgroups.

Of course... this led to only one account being frozen... and you can probably guess whose it was.

But the campus did start to show a newfound interest in password robustness after that.

In some pretty unlikely places

(posted anon for obvious reasons)

A while back, my ex-employer called me up asking for help. Seems his workstation's drive had died, and as I used to be tech support for them, he wondered if I could attempt some data-recovery on it. Well, the drive wasn't dead, it was just flaky. I managed to get a dump of it eventually, minus a few bad sectors.

Now, the idiot was storing some semi-crucial corporate data on it, which should have been on the server (backed up nightly) like I had told him years before. He insisted on keeping this stuff on his personal machine's drive because he was convinced his staff shouldn't have access to it. ACLs etc just went over his head.

So anyway, a lot of this data was photographs. I didn't want to play hunt & peck with his convulted directory structure, so I just browsed into all .jpgs on the drive. And yes, I had his full permission to do this. I even asked him if there were any directories I should avoid due to personal reasons. Well. You sure do learn a person's fetishes this way - he had a kazaa download folder just full of "raunch".

Now, some of these legitimate business photos were in weird locations, so I poked around further, just to make sure everything copied over nicely, and if not, to tell him what areas were lost. I stumbled upon a folder full of photos called "Jane" (name changed to protect the innocent). Jane, by the way, is his ex. Most of the photos were just vacation shots, etc. However, apparently she let him do a pretty thorough photo shoot one day. I mean *thorough*. Complete, unedited, posed in ways you usually only see on porn sites. With no question of who it was. This is a girl I knew fairly well, and I'm pretty sure she wouldn't be too pleased to know I've now seen her in all her glory. Thankfully I haven't ran into her since this happened.

Needless to say, I copied the data to a new disk for him, admonished him for not keeping it on the server, and collected a nice paycheque.

And learned one important lesson: never EVER trust the s.o. when they say they'll delete those nude photos of you if you ever break up :)

Reverse blur

[hikerhat]

Some of the documents have parts "blurred" out, rather than deleted. I assume it is just some photoshop blur algorithm. Anyone know if that algorithm is reversible? Or is the data really gone? I'm sure the guy running the blog site doesn't know the answer. If you are going to black out sensitive info, you should be absolutely sure you aren't doing it in a reversible way. Just turn all those pixels the same color. Just be careful an attacker can't get any information from the width/height of the area blanked out.

Dear Slashdot

[Letter]

Dear Slashdot,

This is really interesting. Some of the photos on the blog include EXIF information, such as the camera model that took the photo and the date and time the photo was shot. Just more inadvertent information leakage.

-Letter

P.S. I used the command-line program exif to view the EXIF information, but I am sure any decent digital photo software on Windows can view it too.

Re:Absurd

[Mz6]

Well, your medical history isn't classified, but if someone picked that up and looked through it and posted it on the Internet, you would probably be pretty pissed off and embarassed all at the same time. Not all unclassified information is PUBLIC information.

Re:Okay

[lawpoop]

this site shows random pictures on google image search based on naming conventions of digital cameras.

Re:Start running, Rick

[wo1verin3]

>> He can wave goodbye to all his computer
>> equipment. And in about a week's time, he'll
>> be complaining

I think he's safe.... however this may put the P2P networks in violation of the Patriot act and get 'em shut down really quickly where the RIAA couldn't do it.

Re:I think is was said somewhere else...

[DNS-and-BIND]

Ever consider that this is misinformation, intentionally meant to fall into the hands of the enemy?

Nope; not off the hook

[cagle_.25]

If he were 16, I would cut him some slack, but at 30, he should know how the game is played:

1) Go to any reputable news organization (from CNN to Fox, or anything in between), and tell them that you have managed to acquire military briefings through an online file-sharing service. Let them know that you tried to contact the military and nothing happened.

They will be glad for the scoop, happy to look patriotic, and will know how to shame the military into action

2) If that doesn't work or doesn't appeal, contact John Warner's office (senate, head of Armed Services Committee) with your story. Heads will roll.

Re:Read before you throw a fit

[digital+bath]

It seems possible that the reason the military did not respond is because the information on the P2P networks was misinformation that the military hoped would fall into the hands of the enemy. If I'd put misinformation on a P2P network, I a) wouldn't want to admit that is was misinformation and b) wouldn't want to lie to the american public and say it was a security hole.

Re:my email to Glen

[composer777]

I stand corrected. Thank you. You are right, our average security sucks, that was part of my point, which I didn't state very well. However, the security for the group (mainly priviledged middle class whites with computer access) that tends to read slashdot is excellent. This is the group that I am addressing. I should not have used the word "average American", I should have qualified it as "the average middle class white American", which is exactly the group that is most concerned about terrorism and safety.

Just FYI. One thing that you need to keep in mind is that in the cities it does suck (I know because I work in one), but for the white middle and upper class (that live out in suburban areas or in gated communities) it's pretty good. In fact, for people that are in these areas, it's so good it's boring. A lot of crime that you pointed out when you said "especially in the cities" is crime that is referred to as black on black by the experts. What they are referring to is crime that is commited by poor minorities and perpetrated against themselves. However, that is no big deal to most of the (mainly white) people living out in the suburbs. If you point out to them how bad our crime is, many of them will say,"That hasn't been my experience". Or they'll think the best solution is to lock them up, which is why we have the largest jail population in the world. Most of them are only concerned about their own security, which tends to be fairly good. The reason is just as a I stated, we are an inherently racist society. It never occurs to the (mainly white) voting population that the quickest way to excellent average safety (and better safety for themselves) is to look out for the least advantaged groups.

In the neighborhood I grew up in, there was no crime in the 18 years that I lived there, no burglaries, no assaults, murderns, nothing. However, if you go just 20 miles to downtown St. Louis, you can't walk 10 minutes without getting asked for change, or aggressively panhandled (where you will get followed for blocks), and the crime rate tends to be much higher. Cars that are parked in poorly lit areas tend to have their windows smashed out, and insurance is sky high. But that's not all, because this area tends to be well policed, the REALLY bad area is across the river, East St. Louis, where most buildings are closed, and the majority of open business revolves around strip clubs, bars, gambling, and a couple of factories. And, if you pay attention, you'll notice that the skin color of people tends to change as you go from rich areas to poor areas. But that's America, the richest country in the world.