P2P Leaks Surprises 389
kilian.cavalotti writes "A new Web log is posting what it purports are pictures, documents and letters from U.S. soldiers and military bases in Iraq and elsewhere--all of which the site's operator claims to have downloaded from peer-to-peer networks such as Gnutella.
The "See What You Share" site has been online for a week and has published photos ranging from a crashed military jet to a screenshot of a spreadsheet file that appears to include names, addresses and telephone numbers of marines. The site's operator, a 30-year-old named Rick Wallace, wrote in a blog posting that he is trying to help the military understand how serious a security risk unmonitored peer-to-peer file sharing can be."
Okay (Score:5, Funny)
Re:Okay (Score:5, Funny)
I got bored just after Kazaa came out. (Score:2, Interesting)
Re:I got bored just after Kazaa came out. (Score:4, Funny)
Dumb people are really boring.
Re:I got bored just after Kazaa came out. (Score:3, Funny)
This is our front line of defense against Echelon and Carnivore.
KFG
Re:I got bored just after Kazaa came out. (Score:3, Insightful)
Re:I got bored just after Kazaa came out. (Score:3, Informative)
Re:I got bored just after Kazaa came out. (Score:4, Insightful)
"So, how's the weather in [insert locale here] "
Re:Okay (Score:3, Funny)
Okay, this is a little beyond belief, but the woman in that photo is a dead ringer for a former co-worker of mine.
The hair color, length, and style, the facial structure, nose, cheekbones, smile, skin coloration, and general build are all uncannily similar. (But then, I never saw her this scantily clad, more's the pity.) The photo looks so similar to her that I'm even tempted to pass it on to other former co-workers for their o
Re:Okay (Score:3, Insightful)
Re:Okay (Score:4, Informative)
Be very *CAREFUL* with what you want!!! (Score:3, Funny)
Okay, just imagine... that green thingie slips down... and... It's a shemale!
Re:Okay (Score:4, Interesting)
Start running, Rick (Score:2, Informative)
Re:Start running, Rick (Score:3, Interesting)
>> equipment. And in about a week's time, he'll
>> be complaining
I think he's safe.... however this may put the P2P networks in violation of the Patriot act and get 'em shut down really quickly where the RIAA couldn't do it.
I think is was said somewhere else... (Score:4, Insightful)
Re:I think is was said somewhere else... (Score:4, Informative)
This is probably the most efficient way he can get the message across: P2P has absolutely no place in a business or military environment and P2P access should be disabled at the router for security.
Unfortunately this guy could take a fall for trying to do the right thing because of the mindset that the first guy that makes the public aware of a problem is responsible for the problem. When in reality we should be looking at P2P authors.
Re:I think is was said somewhere else... (Score:4, Funny)
Re:I think is was said somewhere else... (Score:5, Informative)
They did NOTHING. So he posted self-censored documents to shame them into fixing the problem.
I have no problem with that.
Re:I think is was said somewhere else... (Score:3, Insightful)
Absolutely not. P2P authors, like any other programmers, are making tools. The person who should be held responsible is whichever idiot shared the files in the first place - even if accidental, why on earth was he running a P2P server on a government machine with classified data?
Military knows P2P is a weakness (Score:3, Insightful)
Now, were these files coming f
Re:I think is was said somewhere else... (Score:2)
I would agree that it might be prudent to inform the public after plugging up any non-human weaknesses, but ultimately, the weak link here is people.
Re:I think is was said somewhere else... (Score:5, Informative)
A few months ago, I downloaded some military briefings from the Gnutella Network. The briefings were zipped and the file contained 21 documents with classifications ranging from For Official Use Only to Secret/NO FORN. Shocked at my discovery, I notified an agency on a nearby military installation. When nothing happened, I notified another agency. I continued this course because no action was taken and for a nation at war, I was concerned for the safety of our soldiers.
So it seems, he DID tell those who can do something about it, and that nothing is getting done.
Re:I think is was said somewhere else... (Score:4, Interesting)
Re:I think is was said somewhere else... (Score:3, Funny)
There's a reason why "military intelligence" is considered an oxymoron.
Re:I think is was said somewhere else... (Score:3, Informative)
An interesting take on the issue - and certainly possible.
Re:I think is was said somewhere else... (Score:3, Interesting)
I guess we COULD track down whoever leaked the info, but why do that when you can go after anyone on or in the remote proximity of any
In the real world it's more difficult... (Score:3, Insightful)
Re:I think is was said somewhere else... (Score:5, Interesting)
A great example of this happened at my university about 10 years ago. The campus ran a cluster of unix machines for students to get email, read usenet, compile C programs, run nethack, etc.
The nerds amongst us were fairly concerned that the admins: 1) didn't keep the passwords in a shadow file, and 2) didn't run Crack on the password file to find weak passwords. I guess the reasons were that: 1) the OS (I think it was AIX at the time) didn't support
So... one of the nerds kinda... "settled" the issue for them. He ran Crack on the entire password table and POSTED all of the cracked login/password combos (a couple thousand out of something like 10,000 users, I think) to the local campus newsgroups.
Of course... this led to only one account being frozen... and you can probably guess whose it was.
But the campus did start to show a newfound interest in password robustness after that.
Re:I think is was said somewhere else... (Score:3, Insightful)
Nope; not off the hook (Score:3, Interesting)
1) Go to any reputable news organization (from CNN to Fox, or anything in between), and tell them that you have managed to acquire military briefings through an online file-sharing service. Let them know that you tried to contact the military and nothing happened.
They will be glad for the scoop, happy to look patriotic, and will know how to shame the military into action
2) If that doesn't work or doesn't appeal,
my email to Glen (Score:5, Insightful)
As a former member of our armed forces, and an avid technophile as well as outspoken supporter of freedom in all its forms, I have a question:
What exactly are you advocating?
It sounds an awful lot like you're complaining, but you have absolutely no idea how to solve the problem you've raised. This is not constructive...it is merely whining. Do you want to ban P2P services? Do you want to attempt to make yet more copy protection systems? Or are you doing what Michael Moore does and complaining about a situation while having no solution whatsoever?
As for my view: it is the price of freedom. If you don't want Secret/NOFORN documents distributed on the web, then don't hand them out to people! Make sure the only machines that have them are on SIPRNET and take out the damn floppy and zip disk drives.
My position: people are stupid, and until we decide to take real measures to protect secret data (i.e. not providing removable media for secret computers), we'll get burned. A nation at war? Yes, I went to Iraq three times in the past three years. But don't blame the soldiers, or the P2P programs. Blame the idiots that make the information available and the idiots who build the computers and set IT policy for the DoD.
Peer to peer filesharing is NOT a security risk. The lack of a comprehensive security program within our military is a security risk.
Regards,
Re:my email to Glen (Score:2)
The military should be requiring all correspondence to be encrypted, sensitive data (especially residence info) to be removed from common access (and also encrypted), and disclaimers to soldiers' respondents detailing how the emails should not be forwarded for said security matters (and maybe a warning of prosecution for privacy violations?).
Re:my email to Glen (Score:5, Insightful)
"Ban" P2P services on military computers? By all means, if that's what it takes. Establish penalties for soldiers who fail to observe security protocols? Abso-effin-lutely. This ain't a civil liberties issue, people, and we're not talking about dismantling entire technological innovations here or anything -- this is the military. I wholeheartedly agree that, before Congress comes along and pushes through any further legislation blaming the American people for failures of security policy (i.e. the Patriot Act), the people who are really and literally on the front lines of the information security issue need to get their shit together in a big way.
Re:my email to Glen (Score:2)
Just so my position is clear: don't legislate against P2P, make the military fix it's security problem.
Glen doesn't go one way or the other, and that's my problem. I want him to take a position on what should be done.
Re:my email to Glen (Score:3, Insightful)
How about every two [gpo.gov] or six [gpo.gov] years? Remember, the Congress approves how the military spends its money, and they define the laws by which the military must operate.
Bring this issue up to your representative's office [house.gov], and let them know that we don't approve the lax I.T. policies. Or how about write to someone on the Armed Services Oversight Committee [senate.gov], inform them that things like this are taking place, that national security is at risk. If the
Re:my email to Glen (Score:3, Informative)
Well, I am one of those that help in establishing military policy. I work in the Theater Network Operation and Security Center - Korea (TNOSC-K). I can tell you that the policy is all there already. The Army has established AR 25-1, Information Systems Security, which specifically addresses NIPER vs SI
Re:my email to Glen (Score:3, Insightful)
Re:my email to Glen (Score:4, Insightful)
Re:my email to Glen (Score:3, Insightful)
* For the Merkins who read this post, sacking is a British term which equates to the American term fire.
Re:my email to Glen (Score:5, Insightful)
Though I agree with you point that p2p is not the problem.
Re:my email to Glen (Score:5, Funny)
I'll bet your auto mechanic just loves it when you refuse to tell him what's wrong, but tell him how to fix it.
KFG
Re:my email to Glen (Score:3, Insightful)
2nd, these aren't classified documents or pictures. Should it be protected? Absolutely, but it's not classified. The problem isn't floppy drives specifically, there are procedure
Re:my email to Glen (Score:2, Interesting)
You might argue that p2p could be useful, but obviously the
Re:my email to Glen (Score:5, Insightful)
1. Create a program of effective affirmative action that would truly provide equal opportunity, as a start, providing such basic things as shelter, healthcare, etc.
2. Eliminate racist drug laws that needlessly disciminate again the poor.
3. Eliminate racist police offices that are one of the biggest threats to the urban population.
Outside our borders, increasing security would involve a similar approach.
1. Work to raise the standard of living rather than handing over resources to corporations that are only interested in plundering.
2. Stop shooting and torturing people, which is one of the biggest threats to security of innocent Iraqi people.
3. Stop giving Israel carte blanch support to murder, round defenseless Palestineans up into concentration camps and bulldoze their homes.
4. Stop supporting corrupt, undemocratic regimes such as Saudi Arabia, Saddam Hussein's Iraq in the 80's, etc.
But, we won't take these steps, our government doesn't take these steps because they realize that security isn't that big of an issue. In fact, the War in Iraq has the effect of increasing terrorism and decreasing security, not just for Americans, but also for the people of Iraq. On the other hand, the people of America won't take these steps because we're a bunch of racist cowards that think that we alone have the right to feel safe in our homes, but that black guy in the ghetto, well, he doesn't, and the Iraqi's in Abu Gharaib, well, they should have known better. It never occurs to us that increasing security of the poor might be the quickest way to create a safe and secure world for everyone. Nor does it occur to us that it is impossible to have perfect security. For some reason we believe that security is our birthright, and ours alone. I can't think of another group on this planet that has a greater expectation of perfect security than middle class Americans. It's a nice goal, but if we are truly interested in real freedom and equality, then we will realize that security can't be just a thing reserved for priveledged American whites.
Re:my email to Glen (Score:3, Insightful)
Uhh, what?
I recognise your solutions as valid ones, but you also need to recognise how urgently they're required because the average security of your citizens frankly, sucks (especially those in the cities)
http://www.mercerhr.com/pressrelease/details.jh t ml ?idContent=1084835
The highest ranking spot for a north american city last year was 40t
Re:my email to Glen (Score:3, Interesting)
Re:my email to Glen (Score:2)
Whatever comprehensive security program you mention (no, I haven't heard it) didn't make it down to the deckplates on my ship, which was commisioned in 1995.
Since you know so much about military security, can you tell me if this program took care of glaring discrepancies in the SIPRNET/NIPRNET information exchange? How about something simple, like I suggested - not providing removab
Re:my email to Glen (Score:3, Insightful)
As we would say in the Army, pull your *!*&(^%$ h
Hmm (Score:2, Informative)
The Emphasis Should be on Security Issues Not P2P (Score:5, Insightful)
Give that man a cigar (Score:5, Interesting)
Oh, and I submitted this with a funnier headli...er, wait, this isn't Fark, is it.
Well, I did submit it, with a link to a ZDNet article [com.com] about it, in which they give a little more detail about what happened with the blogger's attempts to get the authorities involved:Ummmm...what??? How powerful is this senator, that he can pluck a given file off a decentralized P2P network? How did he do that? Am I going to get an insistent knock on my door for even questioning this?
Tell my wife I love her! AIEEEE!!!
Re:Give that man a cigar (Score:3, Insightful)
Re:Give that man a cigar (Score:3, Interesting)
Ummmm...what??? How powerful is this senator, that he can pluck a given file off a decentralized P2P network? How did he do that?
1) Senator calls DOD aide in and says "find where this is being leaked" (hands him copy of secret document
2) DOD aide makes call to appropriate Army commander (based on the unit(s) referenced in secret doc)
3) Army commander calls in his IT and BuddyFucker(couin
Re:Give that man a cigar (Score:4, Informative)
Classified information doesn't work that way. It's heavily compartmentalized and often perishable (becomes inaccurate as time passes). Any one secret document is mostly useless on its own. This is intentional. In order for any really useful information to be put together, several different people have to screw up separately in a fairly short time frame. All aggregate data of high and/or long-term value is guarded with extraordinary zeal. Generally the only way THAT kind of secret stuff gets out is actual espionage from the inside, like that Hanssen jackass in the FBI did.
I think the DoD is going to show him personally... (Score:3, Funny)
olde news... (Score:3, Funny)
search your favourite P2P network for things like ".XLS". When you find some that are obviously not intended for public viewing then look at the person's shared files for more goodies.
not that I'd ever do that.
Re:olde news... (Score:2)
I think the problem is not necessarily better security, but increased user education. Tell people not to "search my hard drive for files to share," to choose what folders are being shared, and to verify periodically what folders/files are shared.
Re:olde news... (Score:3, Insightful)
Not the same thing. (Score:4, Insightful)
I always thought... (Score:5, Interesting)
Re:I always thought... (Score:5, Informative)
This is the case all over, and I got tired of it when I was in the military...the security is not where it should be an no one cares.
Re:I always thought... (Score:4, Informative)
I always thought military desks had two machines on them. A public internet and a military internet, and at no point were they ever interconnected.
This is true at the base level, but not at the desk level - at least not for most folks. SIPRNET-linked computers, at least at the Standard Systems Group (and DISA, which are both on the same campus), are housed within secure facilities; and computers linked to the NIPRNET (the regular 'Net) are not.
Why This Site Exists (Score:3, Interesting)
Why This Site Exists
Technology often outruns legislation. So is the case with Peer 2 Peer networks. Many people obtain P2P software so they can download music or movies. A large number of those people do not have any idea what they are sharing.
A few months ago, I downloaded some military briefings from the Gnutella Network. The briefings were zipped and the file contained 21 documents with classifications ranging from For Official Use Only to Secret/NO FORN. Shocked at my discovery, I notified an agency on a nearby military installation. When nothing happened, I notified another agency. I continued this course because no action was taken and for a nation at war, I was concerned for the safety of our soldiers.
It may appear that I am picking on certain institutions. This is true. I want everyone to know that we can be our own worst enemies when we don't understand the full power of our technology. I want every military and government agency to see first hand what is being shared with anyone who has a computer. Since a picture is worth a thousand words, I can save myself some talking.
----------------------
Freedom or Evil: Freevil.net [freevil.net]
G. W. Bush says, "You decide!"
Re: Why This Site Exists (Score:3, Informative)
Oh no... (Score:2, Insightful)
Oh, and barring any posts while I'm writing this, FP!
Re:Oh no... (Score:2)
Besides, if you intend to share this stuff, you should be using Freenet anyway. No encryption key = no data.
Well we had some freedoms (Score:3, Insightful)
Re:I'm sick of the wannebe oppressed (Score:3, Insightful)
Place your bets now! (Score:5, Interesting)
Why would they arrest him? (Score:2)
He's asking for it (Score:3, Insightful)
His intentions are good, but we all know about that cliche.
But the REAL question is, (Score:5, Funny)
Re:But the REAL question is, (Score:3, Funny)
Searching the web works even better [tuxscreen.net]!
Re:But the REAL question is, (Score:3, Funny)
Absurd (Score:5, Insightful)
Second, if the info isn't classified, why shouldn't it be on p2p? If a jet crashed and there's a picture, and its not classified info, then there's nothing wrong with it being public information, because it IS public information.
Re:Absurd (Score:5, Insightful)
Not with the current administration....remember the casket picture incident? They [the pictures] were not classified, but you better not show them to the people.
Re:Absurd (Score:2)
Good point. In fact, how does he know that all this data was on P2P networks by accident? I hope some of these people shared some of the non-classified data on purpose. Or do we all believe the RIAA's claim that the only purpose of P2P networks is to infringe on copyrights?
Re:Absurd (Score:3, Interesting)
Maybe this will turn out for the best. (Score:2, Funny)
The P2P Disclosures (Score:3, Insightful)
Serious security risk (Score:3, Funny)
he is trying to help the military understand how serious a security risk unmonitored peer-to-peer file sharing can be
He's right -- P2P networks are used to distribute weapons of mass destruction [britneyspears.com].
This can't be too good... (Score:3, Interesting)
The only real problem here is the public disclosure of personal information -- if I were one of the names shown, I'd probably be upset. (of course if this is going on in a widespread fashion, I'd be upset anyway) In the end we can only hope that the "shock value" of presenting these to the public will create enough awareness to minimize the problem.
Otherwise we can all watch as the spinsters pull another argument for their "p2p is evil" campaign.
Quite interesting (Score:2)
Office LAN (Score:2, Interesting)
He was not cautious about his setup, and I very quickly showed him how I could basically browse his entire computer hard drive, and (granted with a little hands-on) very quicky map every network resource his system had access to. I
I believe him completely all those files are legit (Score:2)
Read before you throw a fit (Score:5, Informative)
He made valid and physical attempts to inform the proper people about the issues and he saw no response, no action, he was basically ignored.
Well I bet they are taking notice now.. I would like to see every single person he talked to in the military that did Nothing up on military charges and kicked out of the military with nothing.
No better yet a true example should be set and they should end up in prison for threating the security of our nation.
Re:Read before you throw a fit (Score:2)
He has done his best to both protect while providing enough information to maybe just maybe wake someone in washington up.
Re:Read before you throw a fit (Score:3, Interesting)
I wonder. . . (Score:2)
I kinda hope someone will bother to talk to Capt Farnham about failure to properly handle FOUO and Privacy Act data before his commander gets wind of it.
Surprising (Score:5, Interesting)
I guess some areas of the military just aren't set up that well.
What's NOT in Joan's suitcase? (Score:3, Funny)
Leather Jacket.. Check
Swim Suit.. Check
Necklace.. Check
Gold dress.. Check
Bras.. Check
Shoes.. Check
Panties.. Umm. hmm. Not Check.
I think I'm in love.
Nothing to see here, move along (Score:5, Informative)
Finally a slashdot article I can comment on knowledgably.
I'm an officer in the US Army and on a casual glance through the file list there's nothing on there that's classified. You can look up most of these manuals on google.
Here's a site that lists a couple: US Army Fields Manuals [globalsecurity.org] Not hugely helpful unless you have training and equipment, but I guess if I were a (bored) terrorist, I'd read em.
Re:Nothing to see here, move along (Score:5, Insightful)
I'm sorry to say but it's NOT public knowledge to list what classification level service members have. This guy posted a document with several service member's names AND classification levels. Not only this it lists the base they are stationed at and their names and ranks. He was nice enough to blur out their SSN though...
Well (Score:4, Insightful)
You can't really argue that this is likely to give people ideas and hurt the country, because while it's not a very obvious course, it's highly unlikely that he's the first person who's ever thought of looking for sensitive documents on p2p networks. To say that it's "helping the bad guys" is being naive and underestimating the intelligence gathering skills of the 'enemy'.
To quote the most famous example of terrorism against the United States, if a terrorist organisation is coordinated enough to slip various teams with weapons onto several seperate aircraft, and crash those planes into US buildings, I wouldn't say searching internet resources (be they web or p2p) for sensitive information that has been leaked or poorly secured is beyond them, by any stretch of the imagination.
It's also similar to the "Deceptive Duo", who were Americans who hacked military websites and defaced them with screenshots of personnel databases, under the flag of 'patriotism'; in an attempt to make the military realise the importance of security within their systems. The difference being of course that they intentionally penetrated military networks to achieve this, and used uncensored screenshots of databases, revealing private information on government personnel. As such they were arrested for it.
This site hasn't gone so far as to display any critical security data, or illegally access any systems. I have seen and heard of many examples where a hacker has warned a sysadmin on several occasions about the dangers of vulnerabilities in a network, only to be ignored until finally the site ended up being defaced, so I can understand his impatience to some extent. The next person to run off and harvest this information might not be so eager to censor what they consider to be personal data.
There might be an influx of curious people running off to p2p networks to see what they can turn up, but I really don't see this as too much of a concern in the grand scheme of things; what security risk does a 14 year old kid who wants to look cool pose? It's not information that anyone particularly wants public, but in the hands of the average private citizen, it's not drastically critical. A US citizen could probably get a fair few details from public records, or socially engineer contact details out of people. But any "terrorist" who would have been intelligence gathering has more than likely done this sort of activity already.
It's not the easiest problem to rectify though, without some sort of drastic overhaul in the system, and some method of securing or blocking p2p systems across all military computers, which would be a rather hard thing to enforce, and would annoy many soldiers who are used to using these systems. But of course, national security has to come first. If nothing else, an explanation of the importance of not sharing entire drives would be a start.
What's really funny is... (Score:5, Insightful)
What I find really funny is just what a threat a paranoid public is to liberty and freedom of all Americans.
I'm frankly somewhat comforted by the fact that we have pictures coming out of Iraq that have not been filtered through the military censors and government spin doctors. I think it's good that we find out about Abu Ghraib. There is a fine line between keeping information secret to promote security and keeping information secret to deny culpability.
You can't put the genie back in the bottle: people want digital cameras, internets and camera phones. People will take pictures of things and share them with others. For the most part, I think more is gained than more is lost. The worst thing that can happen is for people to lose sight of what their government and military are doing. Are some images disturbing? Yes. Do they force us to uncomfortable conclusions about our government? Probably. But what is the alternative: to go on as if such things simply didn't happen? I hope we are braver than that.
Mr. Wallace has interesting point, bad conclusion (Score:3, Informative)
Now, I can agree that some P2P apps could use some revision. P2P apps should not scan the entire hard drive for files -- they really need a "shared" directory to be designated, even if it requires the user to do some extra work. But this is a software user interface issue, not a legal issue that requires legislative intervention, as Mr. Wallace seems to feel.
There is certainly nothing of particular significance to P2P when it comes to potential data leaks. Client-server models can allow just as much a problem.
Knowledge is Power - Power to the People! (Score:4, Insightful)
P2P has some disadvantages, like level of confidence in the content. But that can be mitigated by evolution of the same technology, with corroboration amid complex webs of trust. But the leaks of actual recordings of repellant acts make it much harder for their actors to pretend they're anything but trouble. Cameraphones for peace!
Real Information: MOD UP (Score:5, Informative)
On the pictures issue, if you go to any gun or military website forum, you will see a lot of pictures that were taken by GIs all over the world, from combats to RR. There are in fact millions of pictures floating around websites that show those kinds of pictures. You don't need P2P to find out. GIs have their own website, units have their website, and God know how many other military related website on the web that show those kind of pictures.
Here is an unit with their website and images. Some of the pictures are from Iraq. I found some of them enjoyable.
http://www.strykernews.com/gallery/ou
Re:Rick Wallace's behavior is disgusting (Score:2)