Slashdot Mirror


P2P Leaks Surprises

kilian.cavalotti writes "A new Web log is posting what it purports are pictures, documents and letters from U.S. soldiers and military bases in Iraq and elsewhere--all of which the site's operator claims to have downloaded from peer-to-peer networks such as Gnutella. The "See What You Share" site has been online for a week and has published photos ranging from a crashed military jet to a screenshot of a spreadsheet file that appears to include names, addresses and telephone numbers of marines. The site's operator, a 30-year-old named Rick Wallace, wrote in a blog posting that he is trying to help the military understand how serious a security risk unmonitored peer-to-peer file sharing can be."

5 of 389 comments (clear)

  1. I always thought... by digitalsushi · · Score: 4, Interesting

    I always thought military desks had two machines on them. A public internet and a military internet, and at no point were they ever interconnected. Is there any shade of truth of that *at all* in any branch of our military? It certainly sounds like any casual remark anyone might make at the watercooler, but it'd be interesting to hear from someone who's been there.

    --
    slashdot: where everyone yells sarcastic metaphors to themselves to understand the issue
  2. Place your bets now! by koganuts · · Score: 4, Interesting

    It'll be interesting to see how long it'll take before the operator of that weblog is arrested, even though he's trying to prove a point.

  3. Surprising by Quila · · Score: 4, Interesting

    In the extremely large military network I worked on, all P2P ports were blocked (the rule was deny all, allow by exception) and the IDS was tweaked to catch anyone who fiddled with the ports to get around that. The security guys were not nice to people they caught.

    I guess some areas of the military just aren't set up that well.

  4. Give that man a cigar by Atario · · Score: 4, Interesting
    You hit the nail on the head. The same principles apply to soldiers gabbing about classified stuff F2F, never mind P2P.

    Oh, and I submitted this with a funnier headli...er, wait, this isn't Fark, is it.

    Well, I did submit it, with a link to a ZDNet article about it, in which they give a little more detail about what happened with the blogger's attempts to get the authorities involved:
    In an interview from Germany, where he lives with his wife, a U.S. Army officer, Wallace said he had contacted local military intelligence about the issue. They forwarded the information to a higher level, but there was little further response until he contacted the office of Sen. Conrad Burns, who represents Wallace's home state of Montana, Wallace said.
    ...
    Shortly after Wallace got in contact with Burns' office, the file of classified documents disappeared from Gnutella.
    Ummmm...what??? How powerful is this senator, that he can pluck a given file off a decentralized P2P network? How did he do that? Am I going to get an insistent knock on my door for even questioning this?

    Tell my wife I love her! AIEEEE!!!
    --
    "A great democracy must be progressive or it will soon cease to be a great democracy." --Theodore Roosevelt
  5. Re:I think is was said somewhere else... by jemenake · · Score: 4, Interesting
    If you choose to expose security weaknesses, don't take advantage of them. Tell those who can fix it/do something about it, and no one else. What this person is doing will just give other people ideas.
    Unfortunately, most people don't take it seriously unless it really happens to them or if they see it happen to someone else like them.

    A great example of this happened at my university about 10 years ago. The campus ran a cluster of unix machines for students to get email, read usenet, compile C programs, run nethack, etc.

    The nerds amongst us were fairly concerned that the admins: 1) didn't keep the passwords in a shadow file, and 2) didn't run Crack on the password file to find weak passwords. I guess the reasons were that: 1) the OS (I think it was AIX at the time) didn't support /etc/shadow, and 2) the admins shuddered at the thought of freezing the accounts of and having to talk scores of users through the process of changing their passwords.

    So... one of the nerds kinda... "settled" the issue for them. He ran Crack on the entire password table and POSTED all of the cracked login/password combos (a couple thousand out of something like 10,000 users, I think) to the local campus newsgroups.

    Of course... this led to only one account being frozen... and you can probably guess whose it was.

    But the campus did start to show a newfound interest in password robustness after that.