Slashdot Mirror

← Back to Stories (view on slashdot.org)

Dead Drops P2P File Sharing Spreads Around Globe

Posted by Soulskill on from the will-someday-enable-a-revolution-in-dystopia dept.

Lucas123 writes "After beginning as an art project 3 years ago in Manhattan to thwart government online spying and offer a physical depiction of our digitally-connected society, a trend of embedding USB thumb drives in walls has caught on and spread to every continent but Antarctica. Dead Drops, as the anonymous P2P files sharing network is called, now has more than 1,200 locations worldwide and has morphed as participants have become more creative in not only where they place the drives, but how they share files, including creating WiFi locations. The thumb drives, which range in size from a few megabytes to 60GB, have allowed people to share music, video, personal photos, poetry, political discourse, or artwork anonymously. Dead Drops creator, German artist Aram Bartholl, said the project is a way to 'un-cloud' file sharing."

22 of 174 comments (clear)

  1. Why yes! by Frosty+Piss · · Score: 5, Insightful

    I'd be happy to plug my netbook / phone / multimedia device into this unknown thumb drive. Why not? I've got anti-virus...

    --
    If you want news from today, you have to come back tomorrow.
    1. Re:Why yes! by stewsters · · Score: 2

      I prefer to plug in random firewire cables that i find hanging out of walls.

    2. Re:Why yes! by Anonymous Coward · · Score: 2, Insightful

      don't mount the drive as root...
      or better yet, use a livecd boot and only mount a small partition you set aside for this.

    3. Re:Why yes! by i+kan+reed · · Score: 4, Insightful

      Yes, windows blows, but a smart operating system doesn't protect you. A known flaw in the drivers for a USB drive could still allow execution of arbitrary code.

    4. Re:Why yes! by Anonymous Coward · · Score: 5, Funny

      Not a thing. I have no idea how I am even making this post.

    5. Re:Why yes! by Hobadee · · Score: 5, Interesting

      You are making a pretty big assumption there that what you are plugging in is actually a storage device. It could easily be a device which shows up as an HID device and plays back a macro. "Alt-F2, 'xterm', Enter, 'rm -rf /', Enter" would be pretty devastating on your secure Linux box which doesn't run anything from removable media.

      Just because it looks like a thumb drive, doesn't mean it is one!

      --
      ...Had this been an actual emergency, we would have fled in terror, and you would not have been informed.
    6. Re:Why yes! by jkflying · · Score: 5, Informative

      You're thinking software. Try thinking hardware.

      I bet by hooking the other end of the USB up to 220V I could do some pretty nasty things to your computer.

      --
      Help I am stuck in a signature factory!
    7. Re:Why yes! by Anonymous Coward · · Score: 2, Interesting

      You are blindly trusting that something physically appearing as a "USB key" is a usb storage class device. It could just as easily present some human-interface device endpoints and start injecting keyboard or mouse input to quickly control your computer. Or, it could simply zap your computer with a high voltage surge, potentially by drawing USB power to charge a capacitor...

    8. Re: Why yes! by DigiShaman · · Score: 3, Funny

      I've seen what happens to a PC that took a direct hit. Lightning struck the house that it was in. The damage to the motherboard was fantastic! Every IC, south bridge, north bridge, and main CPU, had its packaging material blown off exactly where each chip was below it. I've never seen anything like it.

      --
      Life is not for the lazy.
  2. Better idea by MrEricSir · · Score: 4, Informative

    While it requires power, something like the PirateBox seems like a safer alternative. It relies on wifi, which means you don't have to be in one physical spot to use it, and you don't run the risk of pluggin your computer into something you can't see. You never know, it could be a 240 volt power line attached to that USB plug.

    --
    There's no -1 for "I don't get it."
    1. Re:Better idea by CastrTroy · · Score: 2

      I was just thinking of doing something similar with a Raspberry Pi (or other similar cheap computer, Beaglebone etc.) Add a wireless dongle, create a network that people can connect to, and allow them to add files. It would be pretty easy to set up a firewall, so they couldn't do much damage. I'm not sure what the best software would be though. It would be nice if you could allow people to upload, but not delete files, and set up some kind of quota system so that someone doesn't just fill it with junk.

      --

      Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
  3. What a great idea! by Russ1642 · · Score: 5, Funny

    The technological equivalent of having unprotected sex through a glory hole at a Quebec truckstop.

    1. Re:What a great idea! by Russ1642 · · Score: 4, Funny

      When trying to depict something as seedy make it French. I didn't make up the rules.

    2. Re:What a great idea! by cjb658 · · Score: 2

      What if the government is doing this to get us to install their spyware?

    3. Re:What a great idea! by Rockoon · · Score: 4, Insightful

      If you're running a system that is vulnerable to infected USB devices or media files, that's pretty much on you.

      Sigh.. there is no technical reason why a untrusted USB device couldnt present itself as a Human Interface Device (HID - keyboard, mouse, both, ..) and then open up a shell on your *nix box and run arbitrary shell commands.

      There is in fact concern that future USB drives will be manufactured to "phone home" using such techniques.

      --
      "His name was James Damore."
  4. Ah... Sneakernet. by fahrbot-bot · · Score: 4, Informative

    Sneakernet, for you youngsters, is like the Internet, but with more walking.

    [ Links make things "Informative"... :-) ]

    --
    It must have been something you assimilated. . . .
  5. Interesting, but... by Impy+the+Impiuos+Imp · · Score: 2

    I don't see how this thwarts government spying. A catalog must be online somewhere, and anything the government is interested in, well, bonus, set up a cam opposite and write down whoever visits. Hell, it makes foreign spying even easier -- just another tourist visiting your country.

    --
    (-1: Post disagrees with my already-settled worldview) is not a valid mod option.
  6. Re:How is this different from sneakernet? by Gibgezr · · Score: 2

    This is sneakernet with anonymous strangers. I don't know about you, but that is a new one on me. It used to be I knew who I was getting the floppy disk from.

  7. Antarctica doesn't need dead drops... by babymac · · Score: 3, Interesting

    As a six month veteran of the US Antarctic Program, I can tell you McMurdo Station doesn't need dead drops. There's plenty of file sharing going on pretty much in the open. I attended meetings in the library that would pretty much devolve into file sharing swap meets. I suppose it must have been like the mid-1990s on college campuses. Fun stuff!

    --
    "War makes me sad." - Me
  8. Re:And it never occured to anyone ... by blueg3 · · Score: 4, Informative

    How do they "load software to track who is downloading"? Do thumb drives now have the capability to execute software on their own?

    Sometimes! But let's use an easier attack. Put a thumb drive plus some custom hardware into a thumb drive case. Easy to do. The hardware enumerates as both a thumb drive and, say, a USB audio-device driver that is present on most stock Linux distributions and has a particular buffer overflow vulnerability that allows arbitrary code execution. That sort of vulnerability is reasonably common and has happened in the past. Engineering that hardware is not hard. When the system enumerates the USB audio device, it loads that driver and the driver performs setup by talking to the USB device and requesting information. The evil device sends back responses to the driver that trigger the buffer overflow and execute device-provided code.

    You could make this fairly system-independent by putting a number of fake devices in there that exercise different vulnerabilities. Or you could determine what the connecting operating system is (and what drivers it has available) by looking at how it enumerates. You can even have your device use soft reconnects to try out different vulnerable drivers. (You would have the computer-facing port actually connect to a hub. Also easy to engineer up.)

    Can that software access your files and ID you over a USB port?

    So, yes.

    Don't assume that because something looks like a flash drive, it actually is. And don't connect unknown peripherals to your computer -- they talk directly to drivers.

  9. Hardly anonymous by almechist · · Score: 2

    Anyone who thinks this offers some form of anonymity in any way hasn't been paying attention. For instance, the locations are all known, there's a website that lists them all! Anyone interested in exactly who is downloading or uploading what just has to put up a hidden camera to watch the thumb drives.

    So, interesting concept, poor execution. Now if the drives were accessible through wireless means, that would be a step towards creating a true dead-drop network. This thing as described is just a stunt. Art project? Yeah, I can believe that.

  10. Small problem by Hypotensive · · Score: 2

    Your anonymity in a dead drop system depends on the dead drop location being known only to you and to the person with whom you want to exchange the secret.

    As soon as you publish the location of the dead drop anyone can observe it and you have no anonymity whatsoever.