P2P Leaks Surprises

kilian.cavalotti writes "A new Web log is posting what it purports are pictures, documents and letters from U.S. soldiers and military bases in Iraq and elsewhere--all of which the site's operator claims to have downloaded from peer-to-peer networks such as Gnutella. The "See What You Share" site has been online for a week and has published photos ranging from a crashed military jet to a screenshot of a spreadsheet file that appears to include names, addresses and telephone numbers of marines. The site's operator, a 30-year-old named Rick Wallace, wrote in a blog posting that he is trying to help the military understand how serious a security risk unmonitored peer-to-peer file sharing can be."

Start running, Rick

[Anonymous Crowhead]

The FBI is on the way...

Hmm

[triffidsting]

Sounds more like he is trying to train them in target practice to me.

Re:I always thought...

[rpdillon]

You are correct...there is NIPRNET (public internet) and SIPRNET (an entirely seperate, secret and very large network for military). The problem is that sometimes presentation computers are NIPRNET, and sometimes you have to give secret briefs. Or sometimes someone doesn't have SIPRNET set up correctly (its an involved process), so some idiot copies secret files to a floppy. As I said above in my email: SIPRNET computers shouldn't have floppies or zip. No removable media. Oh, and while youre at it, can we ditch all the MS contracts too, and move to something secure?
This is the case all over, and I got tired of it when I was in the military...the security is not where it should be an no one cares.

Re:I think is was said somewhere else...

[Sheetrock]

He can't contact every file sharer directly. In some cases he can't be sure the sharers are the original net source for what they're posting.

This is probably the most efficient way he can get the message across: P2P has absolutely no place in a business or military environment and P2P access should be disabled at the router for security.

Unfortunately this guy could take a fall for trying to do the right thing because of the mindset that the first guy that makes the public aware of a problem is responsible for the problem. When in reality we should be looking at P2P authors.

Re:I always thought...

[PhxBlue]

I always thought military desks had two machines on them. A public internet and a military internet, and at no point were they ever interconnected.

This is true at the base level, but not at the desk level - at least not for most folks. SIPRNET-linked computers, at least at the Standard Systems Group (and DISA, which are both on the same campus), are housed within secure facilities; and computers linked to the NIPRNET (the regular 'Net) are not.

Read before you throw a fit

[cyberlotnet]

Did you read http://www.seewhatyoushare.com/2004/07/why-this-si te-exists.html

He made valid and physical attempts to inform the proper people about the issues and he saw no response, no action, he was basically ignored.

Well I bet they are taking notice now.. I would like to see every single person he talked to in the military that did Nothing up on military charges and kicked out of the military with nothing.

No better yet a true example should be set and they should end up in prison for threating the security of our nation.

Re:I think is was said somewhere else...

[Anonymous Coward]

From the 'Why this site exists' section of his site:


A few months ago, I downloaded some military briefings from the Gnutella Network. The briefings were zipped and the file contained 21 documents with classifications ranging from For Official Use Only to Secret/NO FORN. Shocked at my discovery, I notified an agency on a nearby military installation. When nothing happened, I notified another agency. I continued this course because no action was taken and for a nation at war, I was concerned for the safety of our soldiers.


So it seems, he DID tell those who can do something about it, and that nothing is getting done.

Nothing to see here, move along

[2Wrongs]

Finally a slashdot article I can comment on knowledgably.

I'm an officer in the US Army and on a casual glance through the file list there's nothing on there that's classified. You can look up most of these manuals on google.

Here's a site that lists a couple: US Army Fields Manuals [globalsecurity.org] Not hugely helpful unless you have training and equipment, but I guess if I were a (bored) terrorist, I'd read em.

Re:I think is was said somewhere else...

[kid_wonder]

Thanks for COTFU (clicking on the f'ing url) where he clearly details how he found documents and immediately contacted the appropriate branches of service and/or military bases.

They did NOTHING. So he posted self-censored documents to shame them into fixing the problem.

I have no problem with that.

Re: Why This Site Exists

[tigris]

Foreign Nationals

Re:I got bored just after Kazaa came out.

[TedCheshireAcad]

Really? I would think that you would have more success searching for .pwl files.

Mr. Wallace has interesting point, bad conclusion

[0x0d0a]

Mr. Wallace has an interesting point -- stuff is being accidentally shared that people would probably prefer not to be shared. This is interesting. However, I do not agree with his conclusion, that "legislation has not caught up with the P2P world". All P2P does is enable data to be transferred -- people have been accidentally sharing data for a long time. I remember when an journalist (I believe it was Adam Engst, of TidBITS) wrote an article about how he accidentally placed some pictures of himself that he didn't want made public in a directory with an unusual name on a webserver. They were eventually accidentally made public. This is certainly not a problem inherent to P2P systems -- it can be done on any system that allows data transfer, and on any system that is worldwide and allows anyone to provide data (such as P2P networks or the Web), it is quite certain that accidental distribution of data will happen.

Now, I can agree that some P2P apps could use some revision. P2P apps should not scan the entire hard drive for files -- they really need a "shared" directory to be designated, even if it requires the user to do some extra work. But this is a software user interface issue, not a legal issue that requires legislative intervention, as Mr. Wallace seems to feel.

There is certainly nothing of particular significance to P2P when it comes to potential data leaks. Client-server models can allow just as much a problem.

Re:Okay

[macdaddy]

That second one is Alyssa Milano. I didn't see a picture of her in my Join the Army brochure. :-)

Re:I think is was said somewhere else...

[digital bath]

I believe the grandparent was implying that the original information on the P2P network that this guy downloaded could possibly be misinformation - not the website that this guy put up.

An interesting take on the issue - and certainly possible.

Re:Give that man a cigar

[Dun Malg]

Yes, but unless no one outside that unit, or the military as a whole, has downloaded the thing...the cat is out of the bag. And as the blogger in question demonstrated, people outside the military did download it.

Classified information doesn't work that way. It's heavily compartmentalized and often perishable (becomes inaccurate as time passes). Any one secret document is mostly useless on its own. This is intentional. In order for any really useful information to be put together, several different people have to screw up separately in a fairly short time frame. All aggregate data of high and/or long-term value is guarded with extraordinary zeal. Generally the only way THAT kind of secret stuff gets out is actual espionage from the inside, like that Hanssen jackass in the FBI did.

Real Information: MOD UP

[jdun]

The guy is stupid. Not only does he not know anything about the US military or the regular GI do with their spare times. I do not know if those list are real or fake but the image is nothing to worry about. Most enlisted don't know jack about what the higher echelon is doing until the finial phase. Case in point: My friend got a notice to ship out. He had a one-day notice. No one on the ship except the Captain and his XO know in advance of what was going on. My friend doesn't even know when he will come back. It wasn't a special mission or anything. In fact when he got back home, he told us that they just ran around in circle for ten days doing nothing. This is just a small example of how the military works. The US military don't think like regular civilian.

On the pictures issue, if you go to any gun or military website forum, you will see a lot of pictures that were taken by GIs all over the world, from combats to RR. There are in fact millions of pictures floating around websites that show those kinds of pictures. You don't need P2P to find out. GIs have their own website, units have their website, and God know how many other military related website on the web that show those kind of pictures.

Here is an unit with their website and images. Some of the pictures are from Iraq. I found some of them enjoyable.
http://www.strykernews.com/gallery/out laws?page=1

Re:my email to Glen

[gruhnj]

Since when do you or I get to vote on how the military handles its own housekeeping? It's not up to you or I (or Glen) to establish military policy. All we can do is ask that they please address the issue.

Well, I am one of those that help in establishing military policy. I work in the Theater Network Operation and Security Center - Korea (TNOSC-K). I can tell you that the policy is all there already. The Army has established AR 25-1, Information Systems Security, which specifically addresses NIPER vs SIPER, p2p, spam, and what should be on the firewalls, routers,clients, etc. Problem is the military DOES NOT uniformly enforce said policy. It even sets standards by which you can be punished in the Uniform Code of Military Justice (UCMJ). Network Enterprise Tech Command (NETCOM) has set forth huge amounts of info on policy. And we do our best to insure that its at least as secure as the guidance sent to us from NETCOM.

As a TNOSC member, however, I can only do so much. Sure I can block out info from various subnets, block ports, and attempt to destroy all unauthorized software. It wont mean a dang thing unless I get the platoon leaders and company commanders on board to help me. Dumb users in the military, just as in the real world, outnumber sysadmins by a huge marign. It could even be worse in that the ones in charge may eb the dumb user! Right now most units are stretched thin, more thin that they need to be. For an infantry unit maintaining guns and tatical profenciancy ranks above computer maintence and COMSEC. Its just a fact of infantry life. Infantry shoot guns; computers are secondary. I don't want to imply that infantry are stupid (I used to have a very smart platoon leader that was Ranger Infantry); they are however mostly ignorant on computer security. If thats what we have to deal with when we call and say somethings wrong, we are already going to have a problem catching up. We need them to understand our concerns ( which means bringing them up to speed, a non trival task in itself), and then getting them to fix themselves to our standard. Its no wonder then that these tasks lag behind.

In short, policy people from NETCOM are on top of policy. Everyone else just needs to follow and actually implment it.

SPC John Gruhn
TNOSC-K, Systems Management Branch
1st Signal BDE, Korea
Hurricanes, First to Communicate!