Slashdot Mirror
P2P Leaks Surprises
kilian.cavalotti writes "A new Web log is posting what it purports are pictures, documents and letters from U.S. soldiers and military bases in Iraq and elsewhere--all of which the site's operator claims to have downloaded from peer-to-peer networks such as Gnutella.
The "See What You Share" site has been online for a week and has published photos ranging from a crashed military jet to a screenshot of a spreadsheet file that appears to include names, addresses and telephone numbers of marines. The site's operator, a 30-year-old named Rick Wallace, wrote in a blog posting that he is trying to help the military understand how serious a security risk unmonitored peer-to-peer file sharing can be."
I don't care what the military shares, but I surely want to see more of her... Redheads.... *drool* ;-)
The FBI is on the way...
If you choose to expose security weaknesses, don't take advantage of them. Tell those who can fix it/do something about it, and no one else. What this person is doing will just give other people ideas.
Glen Breakwater-
As a former member of our armed forces, and an avid technophile as well as outspoken supporter of freedom in all its forms, I have a question:
What exactly are you advocating?
It sounds an awful lot like you're complaining, but you have absolutely no idea how to solve the problem you've raised. This is not constructive...it is merely whining. Do you want to ban P2P services? Do you want to attempt to make yet more copy protection systems? Or are you doing what Michael Moore does and complaining about a situation while having no solution whatsoever?
As for my view: it is the price of freedom. If you don't want Secret/NOFORN documents distributed on the web, then don't hand them out to people! Make sure the only machines that have them are on SIPRNET and take out the damn floppy and zip disk drives.
My position: people are stupid, and until we decide to take real measures to protect secret data (i.e. not providing removable media for secret computers), we'll get burned. A nation at war? Yes, I went to Iraq three times in the past three years. But don't blame the soldiers, or the P2P programs. Blame the idiots that make the information available and the idiots who build the computers and set IT policy for the DoD.
Peer to peer filesharing is NOT a security risk. The lack of a comprehensive security program within our military is a security risk.
Regards,
Sounds more like he is trying to train them in target practice to me.
Non, je ne veux pas coucher avec toi ce soir.
The problem is that the website author emphasizes that "Technology often outruns legislation. So is the case with Peer 2 Peer networks." He seems to assume that P2P should be legislated against. However, this is a security issue, not an issue specific to P2P systems. Education and other controls should be used to minimize this problem. The military would never let Joe Soldier run a rogue server, why would they let them run any old P2P app on a system with classified information? See, P2P Problem or Security Issue?.
the risks of P2P.... especially publicly exposing security holes.
search your favourite P2P network for things like ".XLS". When you find some that are obviously not intended for public viewing then look at the person's shared files for more goodies.
not that I'd ever do that.
Trolling is a art,
I always thought military desks had two machines on them. A public internet and a military internet, and at no point were they ever interconnected. Is there any shade of truth of that *at all* in any branch of our military? It certainly sounds like any casual remark anyone might make at the watercooler, but it'd be interesting to hear from someone who's been there.
slashdot: where everyone yells sarcastic metaphors to themselves to understand the issue
Taken from the web site:
Why This Site Exists
Technology often outruns legislation. So is the case with Peer 2 Peer networks. Many people obtain P2P software so they can download music or movies. A large number of those people do not have any idea what they are sharing.
A few months ago, I downloaded some military briefings from the Gnutella Network. The briefings were zipped and the file contained 21 documents with classifications ranging from For Official Use Only to Secret/NO FORN. Shocked at my discovery, I notified an agency on a nearby military installation. When nothing happened, I notified another agency. I continued this course because no action was taken and for a nation at war, I was concerned for the safety of our soldiers.
It may appear that I am picking on certain institutions. This is true. I want everyone to know that we can be our own worst enemies when we don't understand the full power of our technology. I want every military and government agency to see first hand what is being shared with anyone who has a computer. Since a picture is worth a thousand words, I can save myself some talking.
----------------------
Freedom or Evil: Freevil.net
G. W. Bush says, "You decide!"
This is just going to lead to more cracking down on P2P file sharing, even the legitamate kind. Really, accidentally sharing files only comes from ignorance, obliviousness, or some combination of the two. If you don't know what you're sharing, you shouldn't be using P2P. It's that simple. I guess I just thought it was common sense to keep track of what people have access to on one's computer. It seems that a lot of people lack common sense.
Oh, and barring any posts while I'm writing this, FP!
This sig has been stolen. Return it to its original user for a reward.
Yikes! Is he trying to get what little liberties we have left removed? And we thought the RIAA/MPAA were the biggest threat to P2P networks. They have nothing on a peeved military!
It'll be interesting to see how long it'll take before the operator of that weblog is arrested, even though he's trying to prove a point.
Would anyone else be surprised if this site is shut down or sternly repremanded (perhaps quite publicly) within the week?
His intentions are good, but we all know about that cliche.
As long as there is a Second Amendment, there will always be a First Amendment.
... where are the other "raunchy" photos?
The real "Libtards" are the Libertarians!
First off, if classified info got to a P2P network, then there was a security breach BEFORE it got there. The p2p network is not the problem.
Second, if the info isn't classified, why shouldn't it be on p2p? If a jet crashed and there's a picture, and its not classified info, then there's nothing wrong with it being public information, because it IS public information.
Moo.
File sharing in the military could be a good thing. Hopefully the RIAA will make the mistake of trying to sue the military for copyright infringment, causing the US military to begin taking out "targets of opportunity" here in the US *cough Mitch Bainwol & Hilary Rosen cough*...
Vandemar.org
I believe that the problem is not P2P vulnerabilities but the users knowledge of the software and how to secure their own files. What it boils down to consumer education.
he is trying to help the military understand how serious a security risk unmonitored peer-to-peer file sharing can be
He's right -- P2P networks are used to distribute weapons of mass destruction.
This is different from full-disclosure of software vulnerabilities because this is more a human error than anything else. It's not like there's software to be patched...it's a matter of educating the user as to what they're doing wrong.
The only real problem here is the public disclosure of personal information -- if I were one of the names shown, I'd probably be upset. (of course if this is going on in a widespread fashion, I'd be upset anyway) In the end we can only hope that the "shock value" of presenting these to the public will create enough awareness to minimize the problem.
Otherwise we can all watch as the spinsters pull another argument for their "p2p is evil" campaign.
He was not cautious about his setup, and I very quickly showed him how I could basically browse his entire computer hard drive, and (granted with a little hands-on) very quicky map every network resource his system had access to. I suggested that he remove that lest some dishonest version of the software do the additional mapping unbeknownst to him.
P2P is a potential blessing and a damned curse.
End the FUD
Did you read http://www.seewhatyoushare.com/2004/07/why-this-si te-exists.html
He made valid and physical attempts to inform the proper people about the issues and he saw no response, no action, he was basically ignored.
Well I bet they are taking notice now.. I would like to see every single person he talked to in the military that did Nothing up on military charges and kicked out of the military with nothing.
No better yet a true example should be set and they should end up in prison for threating the security of our nation.
Personal Website
In the extremely large military network I worked on, all P2P ports were blocked (the rule was deny all, allow by exception) and the IDS was tweaked to catch anyone who fiddled with the ports to get around that. The security guys were not nice to people they caught.
I guess some areas of the military just aren't set up that well.
It sure seems like Joan is a Harley Davidson freak. It looks like she's completely outfitted for a week of sun and fun..
Leather Jacket.. Check
Swim Suit.. Check
Necklace.. Check
Gold dress.. Check
Bras.. Check
Shoes.. Check
Panties.. Umm. hmm. Not Check.
I think I'm in love.
And I wanted to see howe many win98 users just shared the HDD. so I searched kazaa for windows 98 password files (.plw) and sure enough. It was a script kiddie act but I amused myself with access to some of the websites I found, lol.
Saying Java is nice because it works on all OS's is like saying that anal sex is nice because it works on all genders.
Finally a slashdot article I can comment on knowledgably.
I'm an officer in the US Army and on a casual glance through the file list there's nothing on there that's classified. You can look up most of these manuals on google.
Here's a site that lists a couple: US Army Fields Manuals Not hugely helpful unless you have training and equipment, but I guess if I were a (bored) terrorist, I'd read em.
Sharing files on a p2p network is just that, sharing files. It's not like forgeting to lock your door, it's like having a flashing neon sign that same 'come in' and then getting upset when people do.
Oh, and I submitted this with a funnier headli...er, wait, this isn't Fark, is it.
Well, I did submit it, with a link to a ZDNet article about it, in which they give a little more detail about what happened with the blogger's attempts to get the authorities involved:Ummmm...what??? How powerful is this senator, that he can pluck a given file off a decentralized P2P network? How did he do that? Am I going to get an insistent knock on my door for even questioning this?
Tell my wife I love her! AIEEEE!!!
"A great democracy must be progressive or it will soon cease to be a great democracy." --Theodore Roosevelt
The military will see this as a security breach and fix it by arresting Glen and taking his blog down, then they'll go after the P2P software on their PCs. Of course, none of this will, in the end, improve security or help protect our troops. But it will play well in Peoria on the 6 o'clock news.
Sometimes telling people of the problem isn't enough for them to react to stop it. I don't know if this is the best way to make those in power aware this situation, but I'm sure it will be effective. The pictures I saw didn't look too bad, so quick action to stop this from happening in the future might be better than not making it public where it wouldn't get anyone's attention to stop it.
You can't really argue that this is likely to give people ideas and hurt the country, because while it's not a very obvious course, it's highly unlikely that he's the first person who's ever thought of looking for sensitive documents on p2p networks. To say that it's "helping the bad guys" is being naive and underestimating the intelligence gathering skills of the 'enemy'.
To quote the most famous example of terrorism against the United States, if a terrorist organisation is coordinated enough to slip various teams with weapons onto several seperate aircraft, and crash those planes into US buildings, I wouldn't say searching internet resources (be they web or p2p) for sensitive information that has been leaked or poorly secured is beyond them, by any stretch of the imagination.
It's also similar to the "Deceptive Duo", who were Americans who hacked military websites and defaced them with screenshots of personnel databases, under the flag of 'patriotism'; in an attempt to make the military realise the importance of security within their systems. The difference being of course that they intentionally penetrated military networks to achieve this, and used uncensored screenshots of databases, revealing private information on government personnel. As such they were arrested for it.
This site hasn't gone so far as to display any critical security data, or illegally access any systems. I have seen and heard of many examples where a hacker has warned a sysadmin on several occasions about the dangers of vulnerabilities in a network, only to be ignored until finally the site ended up being defaced, so I can understand his impatience to some extent. The next person to run off and harvest this information might not be so eager to censor what they consider to be personal data.
There might be an influx of curious people running off to p2p networks to see what they can turn up, but I really don't see this as too much of a concern in the grand scheme of things; what security risk does a 14 year old kid who wants to look cool pose? It's not information that anyone particularly wants public, but in the hands of the average private citizen, it's not drastically critical. A US citizen could probably get a fair few details from public records, or socially engineer contact details out of people. But any "terrorist" who would have been intelligence gathering has more than likely done this sort of activity already.
It's not the easiest problem to rectify though, without some sort of drastic overhaul in the system, and some method of securing or blocking p2p systems across all military computers, which would be a rather hard thing to enforce, and would annoy many soldiers who are used to using these systems. But of course, national security has to come first. If nothing else, an explanation of the importance of not sharing entire drives would be a start.
(posted anon for obvious reasons)
.jpgs on the drive. And yes, I had his full permission to do this. I even asked him if there were any directories I should avoid due to personal reasons. Well. You sure do learn a person's fetishes this way - he had a kazaa download folder just full of "raunch".
:)
A while back, my ex-employer called me up asking for help. Seems his workstation's drive had died, and as I used to be tech support for them, he wondered if I could attempt some data-recovery on it. Well, the drive wasn't dead, it was just flaky. I managed to get a dump of it eventually, minus a few bad sectors.
Now, the idiot was storing some semi-crucial corporate data on it, which should have been on the server (backed up nightly) like I had told him years before. He insisted on keeping this stuff on his personal machine's drive because he was convinced his staff shouldn't have access to it. ACLs etc just went over his head.
So anyway, a lot of this data was photographs. I didn't want to play hunt & peck with his convulted directory structure, so I just browsed into all
Now, some of these legitimate business photos were in weird locations, so I poked around further, just to make sure everything copied over nicely, and if not, to tell him what areas were lost. I stumbled upon a folder full of photos called "Jane" (name changed to protect the innocent). Jane, by the way, is his ex. Most of the photos were just vacation shots, etc. However, apparently she let him do a pretty thorough photo shoot one day. I mean *thorough*. Complete, unedited, posed in ways you usually only see on porn sites. With no question of who it was. This is a girl I knew fairly well, and I'm pretty sure she wouldn't be too pleased to know I've now seen her in all her glory. Thankfully I haven't ran into her since this happened.
Needless to say, I copied the data to a new disk for him, admonished him for not keeping it on the server, and collected a nice paycheque.
And learned one important lesson: never EVER trust the s.o. when they say they'll delete those nude photos of you if you ever break up
What I find really funny is just what a threat a paranoid public is to liberty and freedom of all Americans.
I'm frankly somewhat comforted by the fact that we have pictures coming out of Iraq that have not been filtered through the military censors and government spin doctors. I think it's good that we find out about Abu Ghraib. There is a fine line between keeping information secret to promote security and keeping information secret to deny culpability.
You can't put the genie back in the bottle: people want digital cameras, internets and camera phones. People will take pictures of things and share them with others. For the most part, I think more is gained than more is lost. The worst thing that can happen is for people to lose sight of what their government and military are doing. Are some images disturbing? Yes. Do they force us to uncomfortable conclusions about our government? Probably. But what is the alternative: to go on as if such things simply didn't happen? I hope we are braver than that.
There is much pleasure to be gained in useless knowledge.
Mr. Wallace has an interesting point -- stuff is being accidentally shared that people would probably prefer not to be shared. This is interesting. However, I do not agree with his conclusion, that "legislation has not caught up with the P2P world". All P2P does is enable data to be transferred -- people have been accidentally sharing data for a long time. I remember when an journalist (I believe it was Adam Engst, of TidBITS) wrote an article about how he accidentally placed some pictures of himself that he didn't want made public in a directory with an unusual name on a webserver. They were eventually accidentally made public. This is certainly not a problem inherent to P2P systems -- it can be done on any system that allows data transfer, and on any system that is worldwide and allows anyone to provide data (such as P2P networks or the Web), it is quite certain that accidental distribution of data will happen.
Now, I can agree that some P2P apps could use some revision. P2P apps should not scan the entire hard drive for files -- they really need a "shared" directory to be designated, even if it requires the user to do some extra work. But this is a software user interface issue, not a legal issue that requires legislative intervention, as Mr. Wallace seems to feel.
There is certainly nothing of particular significance to P2P when it comes to potential data leaks. Client-server models can allow just as much a problem.
May we never see th
These leaks are exactly why the "old media", and the politics (Republican, Democrat, Libertarian, you name it) they protect, fear P2P technology so much. Their power, and the profiteering it perpetuates, depends on their central control of the "official truth". One of the mechanisms that accelerated the demise of the Soviet Union was the spread of fax machines in Eastern Europe, which made Pravda ("Truth") too complicated to manage in the minds of the people it oppressed. Now the more nuanced American media control is threatened by more advanced technology, and regime change is in the air.
P2P has some disadvantages, like level of confidence in the content. But that can be mitigated by evolution of the same technology, with corroboration amid complex webs of trust. But the leaks of actual recordings of repellant acts make it much harder for their actors to pretend they're anything but trouble. Cameraphones for peace!
--
make install -not war
Okay, just imagine... that green thingie slips down... and... It's a shemale!
How about the right to privacy, now that the FBI can seize your financial records without a subpoena and without having to prove just cause?
If he were 16, I would cut him some slack, but at 30, he should know how the game is played:
1) Go to any reputable news organization (from CNN to Fox, or anything in between), and tell them that you have managed to acquire military briefings through an online file-sharing service. Let them know that you tried to contact the military and nothing happened.
They will be glad for the scoop, happy to look patriotic, and will know how to shame the military into action
2) If that doesn't work or doesn't appeal, contact John Warner's office (senate, head of Armed Services Committee) with your story. Heads will roll.
Human being (n.): A genetically human, genetically distinct, functioning organism.
Lets say I was in an industry where I wanted to limit competitors or strangle wider innovation for my companies gain:
1) Identify the fear du jour.
2) Align my competitors/competition with that fear.
Example:
1) Pesky p2p filesharers and their RIAA buggering ways.
2) Fix it so wider public perception is that "Music Downloads compromise security". Proof see: look what these people dabble in.
Problem solved.
In post Patriot Act America, the library books scan you.
The guy is stupid. Not only does he not know anything about the US military or the regular GI do with their spare times. I do not know if those list are real or fake but the image is nothing to worry about. Most enlisted don't know jack about what the higher echelon is doing until the finial phase. Case in point: My friend got a notice to ship out. He had a one-day notice. No one on the ship except the Captain and his XO know in advance of what was going on. My friend doesn't even know when he will come back. It wasn't a special mission or anything. In fact when he got back home, he told us that they just ran around in circle for ten days doing nothing. This is just a small example of how the military works. The US military don't think like regular civilian.
t laws?page=1
On the pictures issue, if you go to any gun or military website forum, you will see a lot of pictures that were taken by GIs all over the world, from combats to RR. There are in fact millions of pictures floating around websites that show those kinds of pictures. You don't need P2P to find out. GIs have their own website, units have their website, and God know how many other military related website on the web that show those kind of pictures.
Here is an unit with their website and images. Some of the pictures are from Iraq. I found some of them enjoyable.
http://www.strykernews.com/gallery/ou
That my friends is someone who is alot older than 30.
"You win again Gravity!" -Futurama (Zapp)
he is trying to help the military understand
I am afraid "to help the military understand" is an oxymoron no matter which country you live in.
There you are, staring at me again.
In my corner of the military, at least. On a regular basis, all systems connected to the WAN are scanned - for viruses, for messenger programs, for P2P programs, and anything else that shouldn't be on those computers. Finding any of those programs can get a computer kicked off the network, and anyone found actually using those programs can get their right to use government systems revoked. I've already had it happen to one person who was looking at pr0n on a government system.
Now, were these files coming from government systems, or from people who were taking their work home with them? Its a lot harder to control what people do at home. A lot of things I deal with are SBU - sensitive but unclassified. Meaning that the media the information is on (CPU, floppy disk, file cabinet...) doesn't have to have a little sticker stating its classification, but its still information that needs to be protected, such as listings of SSNs.
The government has already made Norton and MacAffee's antivirus programs available for home use to qualifying personnel for free, but just how much can they do about what people do at home?
Also, if a person were using unauthorized software on a government system, the correct action to take would be to contact that person's chain of command. First it would help if you knew who that person was, or at least what unit they were in, but that's just that.
Let me be the judge of that.