P2P Leaks Surprises

kilian.cavalotti writes "A new Web log is posting what it purports are pictures, documents and letters from U.S. soldiers and military bases in Iraq and elsewhere--all of which the site's operator claims to have downloaded from peer-to-peer networks such as Gnutella. The "See What You Share" site has been online for a week and has published photos ranging from a crashed military jet to a screenshot of a spreadsheet file that appears to include names, addresses and telephone numbers of marines. The site's operator, a 30-year-old named Rick Wallace, wrote in a blog posting that he is trying to help the military understand how serious a security risk unmonitored peer-to-peer file sharing can be."

Okay

[Corporate Troll (537873)]

I don't care what the military shares, but I surely want to see more of her [seewhatyoushare.com]... Redheads.... *drool* ;-)

Re:Okay

[stinkyfingers (588428)]

I smell a new pornsite: www.p2pmilitarywives.com

Re:I got bored just after Kazaa came out.

[topynate (694371)]

I read people's mail, and after msn messenger 6, their chat logs.

Dumb people are really boring.

Re:I got bored just after Kazaa came out.

[Com2Kid (142006)]

I prefer looking up people's resume and sending them a message,

"So, how's the weather in [insert locale here] "

Re:Okay

[macdaddy (38372)]

That second one is Alyssa Milano. I didn't see a picture of her in my Join the Army brochure. :-)

Re:Okay

[lawpoop (604919)]

this site [diddly.com] shows random pictures on google image search based on naming conventions of digital cameras.

I think is was said somewhere else...

[agraupe (769778)]

If you choose to expose security weaknesses, don't take advantage of them. Tell those who can fix it/do something about it, and no one else. What this person is doing will just give other people ideas.

Re:I think is was said somewhere else...

[Sheetrock (152993)]

He can't contact every file sharer directly. In some cases he can't be sure the sharers are the original net source for what they're posting.

This is probably the most efficient way he can get the message across: P2P has absolutely no place in a business or military environment and P2P access should be disabled at the router for security.

Unfortunately this guy could take a fall for trying to do the right thing because of the mindset that the first guy that makes the public aware of a problem is responsible for the problem. When in reality we should be looking at P2P authors.

Re:I think is was said somewhere else...

[Exiler (589908)]

We should be looking at P2P authors for providing a medium that people use to do wrong?

Re:I think is was said somewhere else...

[kid_wonder (21480)]

Thanks for COTFU (clicking on the f'ing url) where he clearly details how he found documents and immediately contacted the appropriate branches of service and/or military bases.

They did NOTHING. So he posted self-censored documents to shame them into fixing the problem.

I have no problem with that.

Re:I think is was said somewhere else...

[by Anonymous Coward]

From the 'Why this site exists' section of his site:


A few months ago, I downloaded some military briefings from the Gnutella Network. The briefings were zipped and the file contained 21 documents with classifications ranging from For Official Use Only to Secret/NO FORN. Shocked at my discovery, I notified an agency on a nearby military installation. When nothing happened, I notified another agency. I continued this course because no action was taken and for a nation at war, I was concerned for the safety of our soldiers.


So it seems, he DID tell those who can do something about it, and that nothing is getting done.

Re:I think is was said somewhere else...

[DNS-and-BIND (461968)]

Ever consider that this is misinformation, intentionally meant to fall into the hands of the enemy?

Re:I think is was said somewhere else...

[Zareste (761710)]

The problem is that somebody published the pictures on the network. Did anybody notice that, or would we rather just follow Rick's solution and have the people from our oh-so-trustworthy 'that blunder is confidential' military tell us what we can publish and see on the internet? Oh, sounds great. "Hey Jim, this picture has 'no war' written on it. You know what to do..."

I guess we COULD track down whoever leaked the info, but why do that when you can go after anyone on or in the remote proximity of any

Re:I think is was said somewhere else...

[jemenake (595948)]

If you choose to expose security weaknesses, don't take advantage of them. Tell those who can fix it/do something about it, and no one else. What this person is doing will just give other people ideas.

Unfortunately, most people don't take it seriously unless it really happens to them or if they see it happen to someone else like them.

A great example of this happened at my university about 10 years ago. The campus ran a cluster of unix machines for students to get email, read usenet, compile C programs, run nethack, etc.

The nerds amongst us were fairly concerned that the admins: 1) didn't keep the passwords in a shadow file, and 2) didn't run Crack on the password file to find weak passwords. I guess the reasons were that: 1) the OS (I think it was AIX at the time) didn't support /etc/shadow, and 2) the admins shuddered at the thought of freezing the accounts of and having to talk scores of users through the process of changing their passwords.

So... one of the nerds kinda... "settled" the issue for them. He ran Crack on the entire password table and POSTED all of the cracked login/password combos (a couple thousand out of something like 10,000 users, I think) to the local campus newsgroups.

Of course... this led to only one account being frozen... and you can probably guess whose it was.

But the campus did start to show a newfound interest in password robustness after that.

my email to Glen

[rpdillon (715137)]

Glen Breakwater-

As a former member of our armed forces, and an avid technophile as well as outspoken supporter of freedom in all its forms, I have a question:

What exactly are you advocating?

It sounds an awful lot like you're complaining, but you have absolutely no idea how to solve the problem you've raised. This is not constructive...it is merely whining. Do you want to ban P2P services? Do you want to attempt to make yet more copy protection systems? Or are you doing what Michael Moore does and complaining about a situation while having no solution whatsoever?

As for my view: it is the price of freedom. If you don't want Secret/NOFORN documents distributed on the web, then don't hand them out to people! Make sure the only machines that have them are on SIPRNET and take out the damn floppy and zip disk drives.

My position: people are stupid, and until we decide to take real measures to protect secret data (i.e. not providing removable media for secret computers), we'll get burned. A nation at war? Yes, I went to Iraq three times in the past three years. But don't blame the soldiers, or the P2P programs. Blame the idiots that make the information available and the idiots who build the computers and set IT policy for the DoD.

Peer to peer filesharing is NOT a security risk. The lack of a comprehensive security program within our military is a security risk.

Regards,

Re:my email to Glen

[PCM2 (4486)]

It sounds an awful lot like you're complaining, but you have absolutely no idea how to solve the problem you've raised. This is not constructive...it is merely whining.

Um ... as a taxpaying citizen, is it really too much to ask for the military to take care of its own business, when ostensibly the security of our entire nation is at stake? Since when do you or I get to vote on how the military handles its own housekeeping? It's not up to you or I (or Glen) to establish military policy. All we can do is ask that they please address the issue. I think he's done that in a pretty alarmist way -- but he obviously feels like that's what it's going to take.

"Ban" P2P services on military computers? By all means, if that's what it takes. Establish penalties for soldiers who fail to observe security protocols? Abso-effin-lutely. This ain't a civil liberties issue, people, and we're not talking about dismantling entire technological innovations here or anything -- this is the military. I wholeheartedly agree that, before Congress comes along and pushes through any further legislation blaming the American people for failures of security policy (i.e. the Patriot Act), the people who are really and literally on the front lines of the information security issue need to get their shit together in a big way.

Re:my email to Glen

[PCM2 (4486)]

Actually, let me amend that -- the power to establish military laws and see that they are enforced rests with Congress, not just the president. So you get to influence that by voting for your representatives in Congress. Nationally, there are almost 500 of these. A Web site like this one stands a good chance of reaching the attention of all of them, however, so in a way it's a sneaky way to get around the way our representative democracy limits the individual's influence over the process.

Re:my email to Glen

[criquet (120814)]

Simply because someone raises an issue that concerns them without having a (stated) solution does not constitute complaining nor whining.

Though I agree with you point that p2p is not the problem.

Re:my email to Glen

[kfg (145172)]

It sounds an awful lot like you're complaining, but you have absolutely no idea how to solve the problem you've raised. This is not constructive...it is merely whining.

I'll bet your auto mechanic just loves it when you refuse to tell him what's wrong, but tell him how to fix it.

KFG

Re:my email to Glen

[Monkeyman334 (205694)]

The problem is the lack of accountability. The people sharing these files are already breaking the UCMJ, specifically failure to obey, by installing unauthorized software. If those pictures are from a military computer, then they most likely downloaded from a personal camera that shouldn't have been attached to the network as well.

2nd, these aren't classified documents or pictures. Should it be protected? Absolutely, but it's not classified. The problem isn't floppy drives specifically, there are procedure

Re:my email to Glen

[composer777 (175489)]

My take on it is that all this talk of security is pretty ridiculous. You're average American belongs to the safest and least threatened group in the entire world. If we cared that much about security we would realize that the first step in creating real security is to provide it to those who need it the most, not those who need it the least. We could start at home, by providing security for those who are most threatened by violence on a daily basis, that is, the poor and the minorities. Ironcially, by focusing on increasing their security, we would in fact also be making the world safer for the most secure group, rich whites. Increasing security for the disadvantaged could involve a multi pronged approach:
1. Create a program of effective affirmative action that would truly provide equal opportunity, as a start, providing such basic things as shelter, healthcare, etc.
2. Eliminate racist drug laws that needlessly disciminate again the poor.
3. Eliminate racist police offices that are one of the biggest threats to the urban population.

Outside our borders, increasing security would involve a similar approach.
1. Work to raise the standard of living rather than handing over resources to corporations that are only interested in plundering.
2. Stop shooting and torturing people, which is one of the biggest threats to security of innocent Iraqi people.
3. Stop giving Israel carte blanch support to murder, round defenseless Palestineans up into concentration camps and bulldoze their homes.
4. Stop supporting corrupt, undemocratic regimes such as Saudi Arabia, Saddam Hussein's Iraq in the 80's, etc.

But, we won't take these steps, our government doesn't take these steps because they realize that security isn't that big of an issue. In fact, the War in Iraq has the effect of increasing terrorism and decreasing security, not just for Americans, but also for the people of Iraq. On the other hand, the people of America won't take these steps because we're a bunch of racist cowards that think that we alone have the right to feel safe in our homes, but that black guy in the ghetto, well, he doesn't, and the Iraqi's in Abu Gharaib, well, they should have known better. It never occurs to us that increasing security of the poor might be the quickest way to create a safe and secure world for everyone. Nor does it occur to us that it is impossible to have perfect security. For some reason we believe that security is our birthright, and ours alone. I can't think of another group on this planet that has a greater expectation of perfect security than middle class Americans. It's a nice goal, but if we are truly interested in real freedom and equality, then we will realize that security can't be just a thing reserved for priveledged American whites.

The Emphasis Should be on Security Issues Not P2P

[The Importance of (529734)]

The problem is that the website author emphasizes that "Technology often outruns legislation. So is the case with Peer 2 Peer networks." He seems to assume that P2P should be legislated against. However, this is a security issue, not an issue specific to P2P systems. Education and other controls should be used to minimize this problem. The military would never let Joe Soldier run a rogue server, why would they let them run any old P2P app on a system with classified information? See, P2P Problem or Security Issue? [corante.com].

Give that man a cigar

[Atario (673917)]

You hit the nail on the head. The same principles apply to soldiers gabbing about classified stuff F2F, never mind P2P.

Oh, and I submitted this with a funnier headli...er, wait, this isn't Fark, is it.

Well, I did submit it, with a link to a ZDNet article [com.com] about it, in which they give a little more detail about what happened with the blogger's attempts to get the authorities involved:

In an interview from Germany, where he lives with his wife, a U.S. Army officer, Wallace said he had contacted local military intelligence about the issue. They forwarded the information to a higher level, but there was little further response until he contacted the office of Sen. Conrad Burns, who represents Wallace's home state of Montana, Wallace said.
...
Shortly after Wallace got in contact with Burns' office, the file of classified documents disappeared from Gnutella.

Ummmm...what??? How powerful is this senator, that he can pluck a given file off a decentralized P2P network? How did he do that? Am I going to get an insistent knock on my door for even questioning this?

Tell my wife I love her! AIEEEE!!!

Re:Give that man a cigar

[Dun Malg (230075)]

Yes, but unless no one outside that unit, or the military as a whole, has downloaded the thing...the cat is out of the bag. And as the blogger in question demonstrated, people outside the military did download it.

Classified information doesn't work that way. It's heavily compartmentalized and often perishable (becomes inaccurate as time passes). Any one secret document is mostly useless on its own. This is intentional. In order for any really useful information to be put together, several different people have to screw up separately in a fairly short time frame. All aggregate data of high and/or long-term value is guarded with extraordinary zeal. Generally the only way THAT kind of secret stuff gets out is actual espionage from the inside, like that Hanssen jackass in the FBI did.

I think the DoD is going to show him personally...

[markana (152984)]

the risks of P2P.... especially publicly exposing security holes.

olde news...

[grub (11606)]

search your favourite P2P network for things like ".XLS". When you find some that are obviously not intended for public viewing then look at the person's shared files for more goodies.

not that I'd ever do that.

Re:olde news...

[trentblase (717954)]

If you have a system installed whereby I ring your doorbell and documents get thrown out the mail slot, then you deserve to lose them.

Not the same thing.

[DAldredge (2353)]

Sharing files on a p2p network is just that, sharing files. It's not like forgeting to lock your door, it's like having a flashing neon sign that same 'come in' and then getting upset when people do.

I always thought...

[digitalsushi (137809)]

I always thought military desks had two machines on them. A public internet and a military internet, and at no point were they ever interconnected. Is there any shade of truth of that *at all* in any branch of our military? It certainly sounds like any casual remark anyone might make at the watercooler, but it'd be interesting to hear from someone who's been there.

Re:I always thought...

[rpdillon (715137)]

You are correct...there is NIPRNET (public internet) and SIPRNET (an entirely seperate, secret and very large network for military). The problem is that sometimes presentation computers are NIPRNET, and sometimes you have to give secret briefs. Or sometimes someone doesn't have SIPRNET set up correctly (its an involved process), so some idiot copies secret files to a floppy. As I said above in my email: SIPRNET computers shouldn't have floppies or zip. No removable media. Oh, and while youre at it, can we ditch all the MS contracts too, and move to something secure?
This is the case all over, and I got tired of it when I was in the military...the security is not where it should be an no one cares.

Re:I always thought...

[PhxBlue (562201)]

I always thought military desks had two machines on them. A public internet and a military internet, and at no point were they ever interconnected.

This is true at the base level, but not at the desk level - at least not for most folks. SIPRNET-linked computers, at least at the Standard Systems Group (and DISA, which are both on the same campus), are housed within secure facilities; and computers linked to the NIPRNET (the regular 'Net) are not.

Why This Site Exists

[diagnosis (38691)]

Taken from the web site:

Why This Site Exists
Technology often outruns legislation. So is the case with Peer 2 Peer networks. Many people obtain P2P software so they can download music or movies. A large number of those people do not have any idea what they are sharing.

A few months ago, I downloaded some military briefings from the Gnutella Network. The briefings were zipped and the file contained 21 documents with classifications ranging from For Official Use Only to Secret/NO FORN. Shocked at my discovery, I notified an agency on a nearby military installation. When nothing happened, I notified another agency. I continued this course because no action was taken and for a nation at war, I was concerned for the safety of our soldiers.

It may appear that I am picking on certain institutions. This is true. I want everyone to know that we can be our own worst enemies when we don't understand the full power of our technology. I want every military and government agency to see first hand what is being shared with anyone who has a computer. Since a picture is worth a thousand words, I can save myself some talking.

----------------------
Freedom or Evil: Freevil.net [freevil.net]
G. W. Bush says, "You decide!"

Well we had some freedoms

[SteroidMan (782859)]

Yikes! Is he trying to get what little liberties we have left removed? And we thought the RIAA/MPAA were the biggest threat to P2P networks. They have nothing on a peeved military!

Place your bets now!

[koganuts (526569)]

It'll be interesting to see how long it'll take before the operator of that weblog is arrested, even though he's trying to prove a point.

He's asking for it

[Dukeofshadows (607689)]

Would anyone else be surprised if this site is shut down or sternly repremanded (perhaps quite publicly) within the week?

His intentions are good, but we all know about that cliche.

But the REAL question is,

[whoever57 (658626)]

... where are the other "raunchy" photos?

Absurd

[cephyn (461066)]

First off, if classified info got to a P2P network, then there was a security breach BEFORE it got there. The p2p network is not the problem.

Second, if the info isn't classified, why shouldn't it be on p2p? If a jet crashed and there's a picture, and its not classified info, then there's nothing wrong with it being public information, because it IS public information.

Re:Absurd

[FerretFrottage (714136)]

If a jet crashed and there's a picture, and its not classified info, then there's nothing wrong with it being public information, because it IS public information.

Not with the current administration....remember the casket picture incident? They [the pictures] were not classified, but you better not show them to the people.

The P2P Disclosures

[enforcer999 (733591)]

I believe that the problem is not P2P vulnerabilities but the users knowledge of the software and how to secure their own files. What it boils down to consumer education.

Serious security risk

[EnnTeeDee (799496)]

he is trying to help the military understand how serious a security risk unmonitored peer-to-peer file sharing can be

He's right -- P2P networks are used to distribute weapons of mass destruction [britneyspears.com].

This can't be too good...

[Eberlin (570874)]

This is different from full-disclosure of software vulnerabilities because this is more a human error than anything else. It's not like there's software to be patched...it's a matter of educating the user as to what they're doing wrong.

The only real problem here is the public disclosure of personal information -- if I were one of the names shown, I'd probably be upset. (of course if this is going on in a widespread fashion, I'd be upset anyway) In the end we can only hope that the "shock value" of presenting these to the public will create enough awareness to minimize the problem.

Otherwise we can all watch as the spinsters pull another argument for their "p2p is evil" campaign.

Read before you throw a fit

[cyberlotnet (182742)]

Did you read http://www.seewhatyoushare.com/2004/07/why-this-si te-exists.html

He made valid and physical attempts to inform the proper people about the issues and he saw no response, no action, he was basically ignored.

Well I bet they are taking notice now.. I would like to see every single person he talked to in the military that did Nothing up on military charges and kicked out of the military with nothing.

No better yet a true example should be set and they should end up in prison for threating the security of our nation.

Surprising

[Quila (201335)]

In the extremely large military network I worked on, all P2P ports were blocked (the rule was deny all, allow by exception) and the IDS was tweaked to catch anyone who fiddled with the ports to get around that. The security guys were not nice to people they caught.

I guess some areas of the military just aren't set up that well.

What's NOT in Joan's suitcase?

[canter (43098)]

It sure seems like Joan is a Harley Davidson freak. It looks like she's completely outfitted for a week of sun and fun..

Leather Jacket.. Check
Swim Suit.. Check
Necklace.. Check
Gold dress.. Check
Bras.. Check
Shoes.. Check
Panties.. Umm. hmm. Not Check.

I think I'm in love.

Nothing to see here, move along

[2Wrongs (627651)]

Finally a slashdot article I can comment on knowledgably.

I'm an officer in the US Army and on a casual glance through the file list there's nothing on there that's classified. You can look up most of these manuals on google.

Here's a site that lists a couple: US Army Fields Manuals [globalsecurity.org] Not hugely helpful unless you have training and equipment, but I guess if I were a (bored) terrorist, I'd read em.

Re:Nothing to see here, move along

[Mz6 (741941)]

As I've stated previously on here...

I'm sorry to say but it's NOT public knowledge to list what classification level service members have. This guy posted a document with several service member's names AND classification levels. Not only this it lists the base they are stationed at and their names and ranks. He was nice enough to blur out their SSN though...

Well

[XeRXeS-TCN (788834)]

You can't really argue that this is likely to give people ideas and hurt the country, because while it's not a very obvious course, it's highly unlikely that he's the first person who's ever thought of looking for sensitive documents on p2p networks. To say that it's "helping the bad guys" is being naive and underestimating the intelligence gathering skills of the 'enemy'.

To quote the most famous example of terrorism against the United States, if a terrorist organisation is coordinated enough to slip various teams with weapons onto several seperate aircraft, and crash those planes into US buildings, I wouldn't say searching internet resources (be they web or p2p) for sensitive information that has been leaked or poorly secured is beyond them, by any stretch of the imagination.

It's also similar to the "Deceptive Duo", who were Americans who hacked military websites and defaced them with screenshots of personnel databases, under the flag of 'patriotism'; in an attempt to make the military realise the importance of security within their systems. The difference being of course that they intentionally penetrated military networks to achieve this, and used uncensored screenshots of databases, revealing private information on government personnel. As such they were arrested for it.

This site hasn't gone so far as to display any critical security data, or illegally access any systems. I have seen and heard of many examples where a hacker has warned a sysadmin on several occasions about the dangers of vulnerabilities in a network, only to be ignored until finally the site ended up being defaced, so I can understand his impatience to some extent. The next person to run off and harvest this information might not be so eager to censor what they consider to be personal data.

There might be an influx of curious people running off to p2p networks to see what they can turn up, but I really don't see this as too much of a concern in the grand scheme of things; what security risk does a 14 year old kid who wants to look cool pose? It's not information that anyone particularly wants public, but in the hands of the average private citizen, it's not drastically critical. A US citizen could probably get a fair few details from public records, or socially engineer contact details out of people. But any "terrorist" who would have been intelligence gathering has more than likely done this sort of activity already.

It's not the easiest problem to rectify though, without some sort of drastic overhaul in the system, and some method of securing or blocking p2p systems across all military computers, which would be a rather hard thing to enforce, and would annoy many soldiers who are used to using these systems. But of course, national security has to come first. If nothing else, an explanation of the importance of not sharing entire drives would be a start.

What's really funny is...

[raytracer (51035)]

What I find really funny is just what a threat a paranoid public is to liberty and freedom of all Americans.

I'm frankly somewhat comforted by the fact that we have pictures coming out of Iraq that have not been filtered through the military censors and government spin doctors. I think it's good that we find out about Abu Ghraib. There is a fine line between keeping information secret to promote security and keeping information secret to deny culpability.

You can't put the genie back in the bottle: people want digital cameras, internets and camera phones. People will take pictures of things and share them with others. For the most part, I think more is gained than more is lost. The worst thing that can happen is for people to lose sight of what their government and military are doing. Are some images disturbing? Yes. Do they force us to uncomfortable conclusions about our government? Probably. But what is the alternative: to go on as if such things simply didn't happen? I hope we are braver than that.

Knowledge is Power - Power to the People!

[Doc Ruby (173196)]

These leaks are exactly why the "old media", and the politics (Republican, Democrat, Libertarian, you name it) they protect, fear P2P technology so much. Their power, and the profiteering it perpetuates, depends on their central control of the "official truth". One of the mechanisms that accelerated the demise of the Soviet Union was the spread of fax machines in Eastern Europe, which made Pravda ("Truth") too complicated to manage in the minds of the people it oppressed. Now the more nuanced American media control is threatened by more advanced technology, and regime change is in the air.

P2P has some disadvantages, like level of confidence in the content. But that can be mitigated by evolution of the same technology, with corroboration amid complex webs of trust. But the leaks of actual recordings of repellant acts make it much harder for their actors to pretend they're anything but trouble. Cameraphones for peace!

Real Information: MOD UP

[jdun (310373)]

The guy is stupid. Not only does he not know anything about the US military or the regular GI do with their spare times. I do not know if those list are real or fake but the image is nothing to worry about. Most enlisted don't know jack about what the higher echelon is doing until the finial phase. Case in point: My friend got a notice to ship out. He had a one-day notice. No one on the ship except the Captain and his XO know in advance of what was going on. My friend doesn't even know when he will come back. It wasn't a special mission or anything. In fact when he got back home, he told us that they just ran around in circle for ten days doing nothing. This is just a small example of how the military works. The US military don't think like regular civilian.

On the pictures issue, if you go to any gun or military website forum, you will see a lot of pictures that were taken by GIs all over the world, from combats to RR. There are in fact millions of pictures floating around websites that show those kinds of pictures. You don't need P2P to find out. GIs have their own website, units have their website, and God know how many other military related website on the web that show those kind of pictures.

Here is an unit with their website and images. Some of the pictures are from Iraq. I found some of them enjoyable.
http://www.strykernews.com/gallery/out laws?page=1