Forgot your password?
typodupeerror
Data Storage Communications Networking

Dead Drops P2P File Sharing Spreads Around Globe 174

Posted by Soulskill
from the will-someday-enable-a-revolution-in-dystopia dept.
Lucas123 writes "After beginning as an art project 3 years ago in Manhattan to thwart government online spying and offer a physical depiction of our digitally-connected society, a trend of embedding USB thumb drives in walls has caught on and spread to every continent but Antarctica. Dead Drops, as the anonymous P2P files sharing network is called, now has more than 1,200 locations worldwide and has morphed as participants have become more creative in not only where they place the drives, but how they share files, including creating WiFi locations. The thumb drives, which range in size from a few megabytes to 60GB, have allowed people to share music, video, personal photos, poetry, political discourse, or artwork anonymously. Dead Drops creator, German artist Aram Bartholl, said the project is a way to 'un-cloud' file sharing."
This discussion has been archived. No new comments can be posted.

Dead Drops P2P File Sharing Spreads Around Globe

Comments Filter:
  • Why yes! (Score:5, Insightful)

    by Frosty Piss (770223) * on Wednesday October 02, 2013 @04:13PM (#45018361)

    I'd be happy to plug my netbook / phone / multimedia device into this unknown thumb drive. Why not? I've got anti-virus...

    • I prefer to plug in random firewire [breaknenter.org] cables that i find hanging out of walls.
    • Re: (Score:2, Insightful)

      by Anonymous Coward

      don't mount the drive as root...
      or better yet, use a livecd boot and only mount a small partition you set aside for this.

    • by jez9999 (618189)

      You're already wearing a pretty effective condom, it's called not running anything. There's absolutely no reason that the insertion of a storage device should cause your machine to run any of its code. If your OS is doing so it's a lousy OS.

      • Re:Why yes! (Score:5, Insightful)

        by i kan reed (749298) on Wednesday October 02, 2013 @04:32PM (#45018561) Homepage Journal

        Yes, windows blows, but a smart operating system doesn't protect you. A known flaw in the drivers for a USB drive could still allow execution of arbitrary code.

        • by Anonymous Coward

          Yes, windows blows

          It blows in many ways, but it's pretty easy to disable this autorun 'feature.'

        • A known flaw in the drivers for a USB drive could still allow execution of arbitrary code.

          Why hasn't the known flaw been fixed yet if it's a known flaw?

      • Re:Why yes! (Score:5, Interesting)

        by Hobadee (787558) on Wednesday October 02, 2013 @04:48PM (#45018781) Homepage Journal

        You are making a pretty big assumption there that what you are plugging in is actually a storage device. It could easily be a device which shows up as an HID device and plays back a macro. "Alt-F2, 'xterm', Enter, 'rm -rf /', Enter" would be pretty devastating on your secure Linux box which doesn't run anything from removable media.

        Just because it looks like a thumb drive, doesn't mean it is one!

        • It could easily be a device which shows up as an HID device and plays back a macro.

          Could you use an HID device to steal PIN numbers from an ATM machine?

          /pedant

        • by fnj (64210)

          Yeah, that would be real bad. If you ran the GUI as root like an idiot.

          • by Trogre (513942)

            Or as any other user.

            rm -Rf / will be equally devastating to an unprivileged user's data. It just won't leave you with a non-functional computer.

          • rm -Rf ~/ could be pretty devastating if you're the only user on the machine, and all the stuff you care about is under ~/
        • by Culture20 (968837)
          s@rm -rf /@/bin/rm -rf ~/@
          would be devastating enough to most folk (and wouldn't require root privs)
          There are other things that could happen too: setting up a cronjob/scheduled task for a secure tunnel to a dynamic address or a daemon that regularly downloads new exploit code and attempts to get root/administrator
        • You are making a pretty big assumption there that what you are plugging in is actually a storage device. It could easily be a device which shows up as an HID device and plays back a macro. "Alt-F2, 'xterm', Enter, 'rm -rf /', Enter" would be pretty devastating on your secure Linux box which doesn't run anything from removable media.

          Just because it looks like a thumb drive, doesn't mean it is one!

          You don't an xterm to enter commands in unix/linux. You actually don't even need a shell, but it makes things a little easier.

        • by Reziac (43301) *

          Also I'm wondering how long before these drops become 'targets' for law enforcement.

      • Re:Why yes! (Score:5, Informative)

        by jkflying (2190798) on Wednesday October 02, 2013 @04:49PM (#45018785)

        You're thinking software. Try thinking hardware.

        I bet by hooking the other end of the USB up to 220V I could do some pretty nasty things to your computer.

        • by Trogre (513942)

          Or the other way around:

          Now that there's a nice centrally-administered map database for all these, what's to stop antagonistic operatives (govt, RIAA, etc) systematically applying portable high voltage flash-zappers to these, rendering them all useless?

      • by blueg3 (192743)

        How do you know it's a storage device? It's just something with a USB port that happens to look vaguely like a storage device. But with USB, it's pretty trivial to do something like have that USB device present itself to the system as a storage device, mouse, and keyboard.

        There's also no shortage of vulnerabilities in the USB stack. A buffer overflow in a USB driver, for example. This is all handled during enumeration, when (with any operating system), the user has little control over the OS's behavior.

      • by geekoid (135745)

        Every Major OS has the capability.

      • You don't know shit about USB rubber ducky.

        http://hakshop.myshopify.com/products/usb-rubber-ducky [myshopify.com]

        Make your time.
        All your base are belong to us.

        • by Yomers (863527)
          Interesting device! How to protect linux computer from such attack, besides glueing USB ports? Any way to make it to ask for user password upon inserting HID device?
    • by pwizard2 (920421)
      If you just want to see what's there, a laptop running a Linux LiveCD (with all hard drives unmounted) would eliminate much of the risk.
    • I'd be happy to plug my netbook / phone / multimedia device into this unknown thumb drive. Why not? I've got Linux.

  • Better idea (Score:5, Informative)

    by MrEricSir (398214) on Wednesday October 02, 2013 @04:17PM (#45018403) Homepage

    While it requires power, something like the PirateBox [daviddarts.com] seems like a safer alternative. It relies on wifi, which means you don't have to be in one physical spot to use it, and you don't run the risk of pluggin your computer into something you can't see. You never know, it could be a 240 volt power line attached to that USB plug.

    • If only there were some sort of pocket-sized device one could use to test for voltage.

      Alternative solution: build the thing with the flash drive protruding from a transparent acrylic box/panel.

  • by Russ1642 (1087959) on Wednesday October 02, 2013 @04:19PM (#45018421)

    The technological equivalent of having unprotected sex through a glory hole at a Quebec truckstop.

    • by Rinikusu (28164)

      Without the excitement and swab down the dick later... Yeah, I think I'll pass...

    • by Anonymous Coward

      If you're running a system that is vulnerable to infected USB devices or media files, that's pretty much on you.

      • by Rockoon (1252108) on Wednesday October 02, 2013 @04:41PM (#45018681)

        If you're running a system that is vulnerable to infected USB devices or media files, that's pretty much on you.

        Sigh.. there is no technical reason why a untrusted USB device couldnt present itself as a Human Interface Device (HID - keyboard, mouse, both, ..) and then open up a shell on your *nix box and run arbitrary shell commands.

        There is in fact concern that future USB drives will be manufactured to "phone home" using such techniques.

      • by AK Marc (707885)
        So you assert that there are no driver vulnerabilities that can cause issues, or physical attacks that could work over USB?
    • by Anonymous Coward
      Is there a reason truckstop glory holes in Quebec are more dangerous than those in other locations?
    • Wait...you're saying that's a bad idea?

    • by cjb658 (1235986)

      What if the government is doing this to get us to install their spyware?

    • use an offline, disposable computer to read these drives if you want to play the game.

  • Ah... Sneakernet. (Score:5, Informative)

    by fahrbot-bot (874524) on Wednesday October 02, 2013 @04:23PM (#45018459)

    Sneakernet [wikipedia.org], for you youngsters, is like the Internet [wikipedia.org], but with more walking [wikipedia.org].

    [ Links make things "Informative"... :-) ]

    • by geekoid (135745)

      The latency is hell.

      • by jxander (2605655)
        Never underestimate the bandwidth of a station wagon full of CDs cruising down the freeway.
    • by Soporific (595477)

      We used to drag our machines over to some guys house along with 15-20 other people and just start the copy fest of 360KB disks. It was a bit tedious I suppose but at least the net wasn't faceless then.

      ~S

  • I don't see how this thwarts government spying. A catalog must be online somewhere, and anything the government is interested in, well, bonus, set up a cam opposite and write down whoever visits. Hell, it makes foreign spying even easier -- just another tourist visiting your country.

    • by Anonymous Coward

      I don't see how this thwarts government spying. A catalog must be online somewhere, and anything the government is interested in, well, bonus, set up a cam opposite and write down whoever visits. Hell, it makes foreign spying even easier -- just another tourist visiting your country.

      Resources. The government can come into your house and look in your computer (with an apparently all-too-easy-to-get warrant), but they don't have enough people to do that to all houses everywhere. The same is somewhat true here, they can't physically monitor all dead drops. And we could conceivably put in our own surveillance measures to detect if they physically come to the dead drop location, so we have a chance at knowing if we've been compromised. It's not a cure, it's just returning a little more cont

  • ... that the government can find and plug into these as easily as anyone else?? And then load software to track who is downloading??

    Another creative ideas from people from children living in their mom's basements who really don't have a clue.
    • by Gibgezr (2025238)

      How do they "load software to track who is downloading"? Do thumb drives now have the capability to execute software on their own? Can that software access your files and ID you over a USB port?

      Methinks you don't understand the technologies involved here. Everything to do with computers isn't a computer; specifically, USB flash drives are not computers.

      • by geekoid (135745)

        His point is someone could put software on it, and then when it gets copied to your computer it could report a location.

        But the would require someone clicking on an unknown executable or link, and no one would every do that, right?

        • by Gibgezr (2025238)

          OK, so the only people who need to be scared are people that would download a file named "RunMeToMakeFacebookFaster.exe" and execute it...but those folks are already boned by every Nigerian Prince on teh internetz, so I don't worry about them. The government already knows the state of every bit on their computers.

          I might be wrong, lord knows who actually uses these things, but it sounded like it was aimed at the sort of paranoid people who worry about the government tracking their files, and wouldn't be sil

          • by geekoid (135745)

            Or and hacked word doc, or an image with an exploit, or a file with a virus.

            It's like your knowledge of attack vectors stopped in 1994

            • by Gibgezr (2025238)

              I have been around for a long time, but like I explained, it was more "people paranoid enough to use sneakernet so as to avoid internet tracking are paranoid enough not to open word docs with macros turned on/run exes etc."

      • by blueg3 (192743) on Wednesday October 02, 2013 @05:46PM (#45019599)

        How do they "load software to track who is downloading"? Do thumb drives now have the capability to execute software on their own?

        Sometimes! But let's use an easier attack. Put a thumb drive plus some custom hardware into a thumb drive case. Easy to do. The hardware enumerates as both a thumb drive and, say, a USB audio-device driver that is present on most stock Linux distributions and has a particular buffer overflow vulnerability that allows arbitrary code execution. That sort of vulnerability is reasonably common and has happened in the past. Engineering that hardware is not hard. When the system enumerates the USB audio device, it loads that driver and the driver performs setup by talking to the USB device and requesting information. The evil device sends back responses to the driver that trigger the buffer overflow and execute device-provided code.

        You could make this fairly system-independent by putting a number of fake devices in there that exercise different vulnerabilities. Or you could determine what the connecting operating system is (and what drivers it has available) by looking at how it enumerates. You can even have your device use soft reconnects to try out different vulnerable drivers. (You would have the computer-facing port actually connect to a hub. Also easy to engineer up.)

        Can that software access your files and ID you over a USB port?

        So, yes.

        Don't assume that because something looks like a flash drive, it actually is. And don't connect unknown peripherals to your computer -- they talk directly to drivers.

        • by Gibgezr (2025238)

          This is actually something I considered for a moment as I was posting the above message, but tossed aside as being overly paranoid. Yes, a USB-drive-that-isn't-actually-a-USB-drive-but-is-actually-a-tiny-computer, a custom piece of hardware, might be able to find a vulnerability. Normally I'd think the tinfoil hat must be too tight if someone was worried about this, but in recent light of all this NSA spying on the world crap, I guess the option of "the terrorist state has won and I am giving in to fear" is

          • by blueg3 (192743)

            It's already been done many times, in a variety of ways, by researchers (mostly using general-purpose hardware). It doesn't require much paranoia at all.

            • by Gibgezr (2025238)

              I dunno, even in the cases you are talking about (the ones I am familiar with are computer under the table/behind the curtain with "charging cables" for phones etc), I would think that it requires some level of paranoia to say "I shouldn't plug my phone into any charging stations because they might be tracking me". It might be a justifiable level of paranoia, but it is still something that we haven't seen in the wild except as research experiments.

              The level of paranoia required to go from that to "better n

        • by MickLinux (579158)

          Perhaps the easiest and best way to thwart the nsa is to put all your files on a usb, and put it in a dead drop at

          NSA
          9800 Savage Rd
          Fort Meade, MD

          Yeah, it might seem pointless. But if ALL 6 billion of us did it...

      • by Qzukk (229616)

        specifically, USB flash drives are not computers

        And you know it's a USB flash drive and not a gumstix or other tiny computer because... the sign said "usb flash drive!!1! plug in here for good porn!!one!" and signs could never lie?

        • by Gibgezr (2025238)

          Possible, yes. Probable? No. I'd love to find out someone was crazy-glueing gumstix to the wall in public places near me, I'd have a nice collection of gumstix for 5 seconds work with a mini pry bar.

  • it's just a particularly slow one.

  • by babymac (312364) <{ten.retrahc} {ta} {d33hp}> on Wednesday October 02, 2013 @04:57PM (#45018905) Homepage
    As a six month veteran of the US Antarctic Program, I can tell you McMurdo Station doesn't need dead drops. There's plenty of file sharing going on pretty much in the open. I attended meetings in the library that would pretty much devolve into file sharing swap meets. I suppose it must have been like the mid-1990s on college campuses. Fun stuff!
  • http://deaddrops.com/dead-drops/db-map/ [deaddrops.com]
    Service Temporarily Unavailable

    The server is temporarily unable to service your request due to maintenance downtime or capacity problems. Please try again later.

    Additionally, a 503 Service Temporarily Unavailable error was encountered while trying to use an ErrorDocument to handle the request.

  • 1 - God only knows what virus is on that device or if its not just wired to 220 and fry your machine on contact.
    2 - Who is watching? It wouldn't be considered entrapment if its the government.

  • by Anonymous Coward

    we are looking for people who would be interested to bring the deaddrops.com project fwd. things were slow but caught up now again in post snowden era ;) if you know php and are interested to support please get in touch! dev at deaddrops.com
    thx!
    ARAM (i m the guy in the video ;)

  • I've placed a couple of dead drops here in Seattle (the gum wall @ Pike Place Market & the Fremont Bridge) but both are long gone. Looks like it's an idea whose time has come. Time to plant some more all over town... http://jetcityorange.com/dead-drops/ [jetcityorange.com]
  • Those *might* be ok to use. at least then you can scan what you are getting, plus it wouldn't be obvious you are doing it.

  • But you're going to need an industrial-strength "USB condom". Data lines optoisolated. Power lines hooked to a battery in the condom. Both data and power lines on the "dangerous" side protected with fuses and overvoltage protection devices. And a microcontroller implementing a filter to make sure it can't pretend to be anything but a block storage device. Feasible, but worth it? I don't think so.

  • by almechist (1366403) on Wednesday October 02, 2013 @10:01PM (#45021653)

    Anyone who thinks this offers some form of anonymity in any way hasn't been paying attention. For instance, the locations are all known, there's a website that lists them all! Anyone interested in exactly who is downloading or uploading what just has to put up a hidden camera to watch the thumb drives.

    So, interesting concept, poor execution. Now if the drives were accessible through wireless means, that would be a step towards creating a true dead-drop network. This thing as described is just a stunt. Art project? Yeah, I can believe that.

  • Your anonymity in a dead drop system depends on the dead drop location being known only to you and to the person with whom you want to exchange the secret.

    As soon as you publish the location of the dead drop anyone can observe it and you have no anonymity whatsoever.

One small step for man, one giant stumble for mankind.

Working...