P2P Leaks Surprises 389
kilian.cavalotti writes "A new Web log is posting what it purports are pictures, documents and letters from U.S. soldiers and military bases in Iraq and elsewhere--all of which the site's operator claims to have downloaded from peer-to-peer networks such as Gnutella.
The "See What You Share" site has been online for a week and has published photos ranging from a crashed military jet to a screenshot of a spreadsheet file that appears to include names, addresses and telephone numbers of marines. The site's operator, a 30-year-old named Rick Wallace, wrote in a blog posting that he is trying to help the military understand how serious a security risk unmonitored peer-to-peer file sharing can be."
Start running, Rick (Score:2, Informative)
Hmm (Score:2, Informative)
Re:I always thought... (Score:5, Informative)
This is the case all over, and I got tired of it when I was in the military...the security is not where it should be an no one cares.
Re:I think is was said somewhere else... (Score:4, Informative)
This is probably the most efficient way he can get the message across: P2P has absolutely no place in a business or military environment and P2P access should be disabled at the router for security.
Unfortunately this guy could take a fall for trying to do the right thing because of the mindset that the first guy that makes the public aware of a problem is responsible for the problem. When in reality we should be looking at P2P authors.
Re:I always thought... (Score:4, Informative)
I always thought military desks had two machines on them. A public internet and a military internet, and at no point were they ever interconnected.
This is true at the base level, but not at the desk level - at least not for most folks. SIPRNET-linked computers, at least at the Standard Systems Group (and DISA, which are both on the same campus), are housed within secure facilities; and computers linked to the NIPRNET (the regular 'Net) are not.
Read before you throw a fit (Score:5, Informative)
He made valid and physical attempts to inform the proper people about the issues and he saw no response, no action, he was basically ignored.
Well I bet they are taking notice now.. I would like to see every single person he talked to in the military that did Nothing up on military charges and kicked out of the military with nothing.
No better yet a true example should be set and they should end up in prison for threating the security of our nation.
Re:I think is was said somewhere else... (Score:5, Informative)
A few months ago, I downloaded some military briefings from the Gnutella Network. The briefings were zipped and the file contained 21 documents with classifications ranging from For Official Use Only to Secret/NO FORN. Shocked at my discovery, I notified an agency on a nearby military installation. When nothing happened, I notified another agency. I continued this course because no action was taken and for a nation at war, I was concerned for the safety of our soldiers.
So it seems, he DID tell those who can do something about it, and that nothing is getting done.
Nothing to see here, move along (Score:5, Informative)
Finally a slashdot article I can comment on knowledgably.
I'm an officer in the US Army and on a casual glance through the file list there's nothing on there that's classified. You can look up most of these manuals on google.
Here's a site that lists a couple: US Army Fields Manuals [globalsecurity.org] Not hugely helpful unless you have training and equipment, but I guess if I were a (bored) terrorist, I'd read em.
Re:I think is was said somewhere else... (Score:5, Informative)
They did NOTHING. So he posted self-censored documents to shame them into fixing the problem.
I have no problem with that.
Re: Why This Site Exists (Score:3, Informative)
Re:I got bored just after Kazaa came out. (Score:3, Informative)
Mr. Wallace has interesting point, bad conclusion (Score:3, Informative)
Now, I can agree that some P2P apps could use some revision. P2P apps should not scan the entire hard drive for files -- they really need a "shared" directory to be designated, even if it requires the user to do some extra work. But this is a software user interface issue, not a legal issue that requires legislative intervention, as Mr. Wallace seems to feel.
There is certainly nothing of particular significance to P2P when it comes to potential data leaks. Client-server models can allow just as much a problem.
Re:Okay (Score:4, Informative)
Re:I think is was said somewhere else... (Score:3, Informative)
An interesting take on the issue - and certainly possible.
Re:Give that man a cigar (Score:4, Informative)
Classified information doesn't work that way. It's heavily compartmentalized and often perishable (becomes inaccurate as time passes). Any one secret document is mostly useless on its own. This is intentional. In order for any really useful information to be put together, several different people have to screw up separately in a fairly short time frame. All aggregate data of high and/or long-term value is guarded with extraordinary zeal. Generally the only way THAT kind of secret stuff gets out is actual espionage from the inside, like that Hanssen jackass in the FBI did.
Real Information: MOD UP (Score:5, Informative)
On the pictures issue, if you go to any gun or military website forum, you will see a lot of pictures that were taken by GIs all over the world, from combats to RR. There are in fact millions of pictures floating around websites that show those kinds of pictures. You don't need P2P to find out. GIs have their own website, units have their website, and God know how many other military related website on the web that show those kind of pictures.
Here is an unit with their website and images. Some of the pictures are from Iraq. I found some of them enjoyable.
http://www.strykernews.com/gallery/ou
Re:my email to Glen (Score:3, Informative)
Well, I am one of those that help in establishing military policy. I work in the Theater Network Operation and Security Center - Korea (TNOSC-K). I can tell you that the policy is all there already. The Army has established AR 25-1, Information Systems Security, which specifically addresses NIPER vs SIPER, p2p, spam, and what should be on the firewalls, routers,clients, etc. Problem is the military DOES NOT uniformly enforce said policy. It even sets standards by which you can be punished in the Uniform Code of Military Justice (UCMJ). Network Enterprise Tech Command (NETCOM) has set forth huge amounts of info on policy. And we do our best to insure that its at least as secure as the guidance sent to us from NETCOM.
As a TNOSC member, however, I can only do so much. Sure I can block out info from various subnets, block ports, and attempt to destroy all unauthorized software. It wont mean a dang thing unless I get the platoon leaders and company commanders on board to help me. Dumb users in the military, just as in the real world, outnumber sysadmins by a huge marign. It could even be worse in that the ones in charge may eb the dumb user! Right now most units are stretched thin, more thin that they need to be. For an infantry unit maintaining guns and tatical profenciancy ranks above computer maintence and COMSEC. Its just a fact of infantry life. Infantry shoot guns; computers are secondary. I don't want to imply that infantry are stupid (I used to have a very smart platoon leader that was Ranger Infantry); they are however mostly ignorant on computer security. If thats what we have to deal with when we call and say somethings wrong, we are already going to have a problem catching up. We need them to understand our concerns ( which means bringing them up to speed, a non trival task in itself), and then getting them to fix themselves to our standard. Its no wonder then that these tasks lag behind.
In short, policy people from NETCOM are on top of policy. Everyone else just needs to follow and actually implment it.
SPC John Gruhn
TNOSC-K, Systems Management Branch
1st Signal BDE, Korea
Hurricanes, First to Communicate!