Dead Drops P2P File Sharing Spreads Around Globe

Lucas123 writes "After beginning as an art project 3 years ago in Manhattan to thwart government online spying and offer a physical depiction of our digitally-connected society, a trend of embedding USB thumb drives in walls has caught on and spread to every continent but Antarctica. Dead Drops, as the anonymous P2P files sharing network is called, now has more than 1,200 locations worldwide and has morphed as participants have become more creative in not only where they place the drives, but how they share files, including creating WiFi locations. The thumb drives, which range in size from a few megabytes to 60GB, have allowed people to share music, video, personal photos, poetry, political discourse, or artwork anonymously. Dead Drops creator, German artist Aram Bartholl, said the project is a way to 'un-cloud' file sharing."

Why yes!

[Frosty Piss]

I'd be happy to plug my netbook / phone / multimedia device into this unknown thumb drive. Why not? I've got anti-virus...

Re:

[stewsters]

I prefer to plug in random firewire [breaknenter.org] cables that i find hanging out of walls.

Re:

[Bengie]

That's why you want a modern computer that has an IOMMU, which forces the device to first ask the OS for permission to memory. It's like protected memory, for DMA. It only sees what the OS allows it to see.

Re:

[SampleFish]

Windmills do not work that way

https://www.youtube.com/watch?v=PmDVHs-juPo [youtube.com]

Re:

[Anonymous Coward]

don't mount the drive as root...
or better yet, use a livecd boot and only mount a small partition you set aside for this.

Re:Why yes!

[Anonymous Coward]

Not a thing. I have no idea how I am even making this post.

Re:

[AK Marc]

If you used a CD boot, with your hard drive only mounting a "P2P" partition, the OS and user partitions not even mounted, would that not prevent nearly all attack vectors? anything going after the OS would find it on a read-only drive, and the data disc could be compromised with no ill effects, given proper precautions.

Re:

[slashdime]

You're morely correct, but it would not prevent all attack vectors. If the boot cd auto mounts the usb key, and nautilus auto opens the mount point with preview on, the files could use vulnerabilities in various file formats (pdf comes first to mind) to run as nautilus (as root, or as a user that can escalate to root).

At that point, it has access to all partitions and devices connected to the system, mounted or not.

Re:

[Anonymous Coward]

Excellent. I've never run any *nix distro that didn't make you go through egregious steps to auto mount anything.

Re:

[Anonymous Coward]

You are blindly trusting that something physically appearing as a "USB key" is a usb storage class device. It could just as easily present some human-interface device endpoints and start injecting keyboard or mouse input to quickly control your computer. Or, it could simply zap your computer with a high voltage surge, potentially by drawing USB power to charge a capacitor...

Re:

[jez9999]

You're already wearing a pretty effective condom, it's called not running anything. There's absolutely no reason that the insertion of a storage device should cause your machine to run any of its code. If your OS is doing so it's a lousy OS.

Re:Why yes!

[i kan reed]

Yes, windows blows, but a smart operating system doesn't protect you. A known flaw in the drivers for a USB drive could still allow execution of arbitrary code.

Re:

[Anonymous Coward]

Yes, windows blows

It blows in many ways, but it's pretty easy to disable this autorun 'feature.'

Re:

[K. S. Kyosuke]

A known flaw in the drivers for a USB drive could still allow execution of arbitrary code.

Why hasn't the known flaw been fixed yet if it's a known flaw?

Re:

[geekoid]

Time, risk, and value.

Re:

[chaim79]

Something like a slightly modified Raspberry Pi with a custom OS that simply pulls all the content and saves it as a drive image that can be scanned and parsed, or maybe just grabs specific files (just image files or pdf files) and ignores all other files. In the end delivering it to another USB drive or an SD card in such a way that it's safe to open from your computer...

(optionally) uploads new content to the USB drive.

This sounds like a fun project, I'll have to start playing around with it. :D

Re:Why yes!

[Hobadee]

You are making a pretty big assumption there that what you are plugging in is actually a storage device. It could easily be a device which shows up as an HID device and plays back a macro. "Alt-F2, 'xterm', Enter, 'rm -rf /', Enter" would be pretty devastating on your secure Linux box which doesn't run anything from removable media.

Just because it looks like a thumb drive, doesn't mean it is one!

Re:

[QRDeNameland]

It could easily be a device which shows up as an HID device and plays back a macro.

Could you use an HID device to steal PIN numbers from an ATM machine?

/pedant

Re:

[Trogre]

Hint: Acronyms aren't supposed to be expanded inline.

Re:

[magic maverick]

That's the joke ...

Re:

[fnj]

Yeah, that would be real bad. If you ran the GUI as root like an idiot.

Re:

[Trogre]

Or as any other user.

rm -Rf / will be equally devastating to an unprivileged user's data. It just won't leave you with a non-functional computer.

Re:

[aztracker1]

rm -Rf ~/ could be pretty devastating if you're the only user on the machine, and all the stuff you care about is under ~/

Re:

[Culture20]

s@rm -rf /@/bin/rm -rf ~/@
would be devastating enough to most folk (and wouldn't require root privs)
There are other things that could happen too: setting up a cronjob/scheduled task for a secure tunnel to a dynamic address or a daemon that regularly downloads new exploit code and attempts to get root/administrator

Re:

[Princeofcups]

You are making a pretty big assumption there that what you are plugging in is actually a storage device. It could easily be a device which shows up as an HID device and plays back a macro. "Alt-F2, 'xterm', Enter, 'rm -rf /', Enter" would be pretty devastating on your secure Linux box which doesn't run anything from removable media.

Just because it looks like a thumb drive, doesn't mean it is one!

You don't an xterm to enter commands in unix/linux. You actually don't even need a shell, but it makes things a little easier.

Re:

[Reziac]

Also I'm wondering how long before these drops become 'targets' for law enforcement.

Re:Why yes!

[jkflying]

You're thinking software. Try thinking hardware.

I bet by hooking the other end of the USB up to 220V I could do some pretty nasty things to your computer.

Re:

[Trogre]

Or the other way around:

Now that there's a nice centrally-administered map database for all these, what's to stop antagonistic operatives (govt, RIAA, etc) systematically applying portable high voltage flash-zappers to these, rendering them all useless?

Re:

[blueg3]

How do you know it's a storage device? It's just something with a USB port that happens to look vaguely like a storage device. But with USB, it's pretty trivial to do something like have that USB device present itself to the system as a storage device, mouse, and keyboard.

There's also no shortage of vulnerabilities in the USB stack. A buffer overflow in a USB driver, for example. This is all handled during enumeration, when (with any operating system), the user has little control over the OS's behavior.

Re:

[geekoid]

Every Major OS has the capability.

Re:

[SampleFish]

You don't know shit about USB rubber ducky.

http://hakshop.myshopify.com/products/usb-rubber-ducky [myshopify.com]

Make your time.
All your base are belong to us.

Re:

[Yomers]

Interesting device! How to protect linux computer from such attack, besides glueing USB ports? Any way to make it to ask for user password upon inserting HID device?

Re:

[pwizard2]

If you just want to see what's there, a laptop running a Linux LiveCD (with all hard drives unmounted) would eliminate much of the risk.

Re:

[lars_boegild_thomsen]

I'd be happy to plug my netbook / phone / multimedia device into this unknown thumb drive. Why not? I've got Linux.

Re:

[blueg3]

It's not good.

Re:

[fnj]

How good is the ESD protection on USB ports? Can it handle a thumb drive filled with capacitors?

It's not good.

Oh I dunno, if you get a half decent motherboard it can be pretty good.

Gigabyte GA-Z87X-D3H [gigabyte.com]
At Newegg [newegg.com]

"GIGABYTE Ultra Durable 5 Plus debuts on GIGABYTE 8 Series motherboards, with a range of features and component choices that provide record-breaking performance, cool and efficient operation and extended motherboard lifespan."

"GIGABYTE 8 Series motherboards raise the bar in terms of protecting your sy

Re:

[Richy_T]

I want to see it take a direct lightning strike.

Re:

[tlhIngan]

Oh I dunno, if you get a half decent motherboard it can be pretty good.

Gigabyte GA-Z87X-D3H
At Newegg

"GIGABYTE Ultra Durable 5 Plus debuts on GIGABYTE 8 Series motherboards, with a range of features and component choices that provide record-breaking performance, cool and efficient operation and extended motherboard lifespan."

"GIGABYTE 8 Series motherboards raise the bar in terms of protecting your system, providing advanced electrostatic discharge (ESD) protection for both your Ethernet LAN and USB ports, bo

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[TheLink]

Oh I see it's "lighting strikes" and not lightning strikes. I suppose it could protect your system from someone shining a not too bright light at it.

In contrast I'm not aware of many smallish _electronic_ devices that can take direct lightning hits with zero or minimal damage.

I've seen a modem that probably took a lightning induced surge[1]. Basically some of the copper tracks vaporized and were deposited as small little copper balls on the inside of the modem case. Even the mouse attached to the PC attache

Better idea

[MrEricSir]

While it requires power, something like the PirateBox [daviddarts.com] seems like a safer alternative. It relies on wifi, which means you don't have to be in one physical spot to use it, and you don't run the risk of pluggin your computer into something you can't see. You never know, it could be a 240 volt power line attached to that USB plug.

Re:

[davidbrit2]

If only there were some sort of pocket-sized device one could use to test for voltage.

Alternative solution: build the thing with the flash drive protruding from a transparent acrylic box/panel.

Re:

[CastrTroy]

I was just thinking of doing something similar with a Raspberry Pi (or other similar cheap computer, Beaglebone etc.) Add a wireless dongle, create a network that people can connect to, and allow them to add files. It would be pretty easy to set up a firewall, so they couldn't do much damage. I'm not sure what the best software would be though. It would be nice if you could allow people to upload, but not delete files, and set up some kind of quota system so that someone doesn't just fill it with junk.

Re:

[Inda]

Yeah. We should invent a protocol to transfer files, a file transfer protocol, so to speak. It would allow anonymous access, uploading and downloading, but no deleting. Deleting could only be done by the server admin.

For extra functionallity, we could allow a ratio system where the user must upload a file before being able to download. This might be a problem for people with massive upload speeds. We'd have to introduce some form of throttling too.

I'd like to see a discovery system introduced. It would have

Re:

[CastrTroy]

I know that FTP exists, but I'm not aware of any servers that would limit the users in quite the necessary ways. It would have to allow for anonymous uploads, and yet somehow still have quotas. Something basic would assign a quota to each MAC address, but even that is quite easily changed. How does one enforce a quota when the people connecting are anonymous. You can't just track the IP of the end point, because it's an ad hoc network, and the clients could pick any address they wanted to on the subnet.

Re:

[drkstr1]

Wow, someone that can say "Raspberry Pi" but can't google "file permissions on linux" or umask.

Nice snark there rtard. If a user has permission to "edit" a directory, this includes both editing and deleting files owned by the same user. File permissions or umask will not help you there. I suppose you could rig the system to create a new user for every mac address that connects, but that could be easily circumvented. Im sure it's possible someone, just not as easy as googling how filer permissions work.

Re:

[drkstr1]

Meant to say creating and deleting files. Editing would actually be protected by umask, but is not the issue here.

Re:

[CastrTroy]

Perhaps it would be OK if users could delete files they themselves uploaded. I've always thought it would be interesting to have a programmable ftp server. Similar to dynamic pages on the web, using PHP/JSP/Python/CGI/Ruby, but served over the FTP protocol. You could control access to the files using scripts, and serve dynamic files, so for instance people downloading data sets over FTP would always be downloading a current version of the data.

What a great idea!

[Russ1642]

The technological equivalent of having unprotected sex through a glory hole at a Quebec truckstop.

Re:

[Rinikusu]

Without the excitement and swab down the dick later... Yeah, I think I'll pass...

Re:

[Anonymous Coward]

If you're running a system that is vulnerable to infected USB devices or media files, that's pretty much on you.

Re:What a great idea!

[Rockoon]

If you're running a system that is vulnerable to infected USB devices or media files, that's pretty much on you.

Sigh.. there is no technical reason why a untrusted USB device couldnt present itself as a Human Interface Device (HID - keyboard, mouse, both, ..) and then open up a shell on your *nix box and run arbitrary shell commands.

There is in fact concern that future USB drives will be manufactured to "phone home" using such techniques.

Re:

[AK Marc]

So you assert that there are no driver vulnerabilities that can cause issues, or physical attacks that could work over USB?

Re:

[Soporific]

It probably wouldn't survive a gunshot coming out of the wall either, but I mean really? People are going to go around wiring 480 volt USB cables?

~S

Re:

[Anonymous Coward]

Is there a reason truckstop glory holes in Quebec are more dangerous than those in other locations?

Re:What a great idea!

[Russ1642]

When trying to depict something as seedy make it French. I didn't make up the rules.

Re:

[Gibgezr]

In this particular instance, having seen the state of many roadside toilets along the highway in Quebec over the years, I agree with the choice. Many are fine, but the filthiest/most run down bathrooms I have ever seen have all been in Quebec (and not just along the highway; the worst hotel bathroom was in Quebec as well...although, to be fair, so was the nicest).

Re:

[intangible]

Was it the same hotel bathroom perchance?

Re:

[Gibgezr]

No, but both hotels were in the same city: Montreal.

Re:

[Ralph Wiggam]

Wait...you're saying that's a bad idea?

Re:

[cjb658]

What if the government is doing this to get us to install their spyware?

by analogy - use a dildo

[schlachter]

use an offline, disposable computer to read these drives if you want to play the game.

Re:

[sconeu]

Booted from a LiveCD.

Ah... Sneakernet.

[fahrbot-bot]

Sneakernet [wikipedia.org], for you youngsters, is like the Internet [wikipedia.org], but with more walking [wikipedia.org].

[ Links make things "Informative"... :-) ]

Re:

[geekoid]

The latency is hell.

Re:

[jxander]

Never underestimate the bandwidth of a station wagon full of CDs cruising down the freeway.

Re:

[Soporific]

We used to drag our machines over to some guys house along with 15-20 other people and just start the copy fest of 360KB disks. It was a bit tedious I suppose but at least the net wasn't faceless then.

~S

Interesting, but...

[Impy the Impiuos Imp]

I don't see how this thwarts government spying. A catalog must be online somewhere, and anything the government is interested in, well, bonus, set up a cam opposite and write down whoever visits. Hell, it makes foreign spying even easier -- just another tourist visiting your country.

Re:

[Anonymous Coward]

I don't see how this thwarts government spying. A catalog must be online somewhere, and anything the government is interested in, well, bonus, set up a cam opposite and write down whoever visits. Hell, it makes foreign spying even easier -- just another tourist visiting your country.

Resources. The government can come into your house and look in your computer (with an apparently all-too-easy-to-get warrant), but they don't have enough people to do that to all houses everywhere. The same is somewhat true here, they can't physically monitor all dead drops. And we could conceivably put in our own surveillance measures to detect if they physically come to the dead drop location, so we have a chance at knowing if we've been compromised. It's not a cure, it's just returning a little more cont

And it never occured to anyone ...

[johnlcallaway]

... that the government can find and plug into these as easily as anyone else?? And then load software to track who is downloading??

Another creative ideas from people from children living in their mom's basements who really don't have a clue.

Re:

[Gibgezr]

How do they "load software to track who is downloading"? Do thumb drives now have the capability to execute software on their own? Can that software access your files and ID you over a USB port?

Methinks you don't understand the technologies involved here. Everything to do with computers isn't a computer; specifically, USB flash drives are not computers.

Re:

[geekoid]

His point is someone could put software on it, and then when it gets copied to your computer it could report a location.

But the would require someone clicking on an unknown executable or link, and no one would every do that, right?

Re:

[Gibgezr]

OK, so the only people who need to be scared are people that would download a file named "RunMeToMakeFacebookFaster.exe" and execute it...but those folks are already boned by every Nigerian Prince on teh internetz, so I don't worry about them. The government already knows the state of every bit on their computers.

I might be wrong, lord knows who actually uses these things, but it sounded like it was aimed at the sort of paranoid people who worry about the government tracking their files, and wouldn't be sil

Re:

[geekoid]

Or and hacked word doc, or an image with an exploit, or a file with a virus.

It's like your knowledge of attack vectors stopped in 1994

Re:

[Gibgezr]

I have been around for a long time, but like I explained, it was more "people paranoid enough to use sneakernet so as to avoid internet tracking are paranoid enough not to open word docs with macros turned on/run exes etc."

Re:And it never occured to anyone ...

[blueg3]

How do they "load software to track who is downloading"? Do thumb drives now have the capability to execute software on their own?

Sometimes! But let's use an easier attack. Put a thumb drive plus some custom hardware into a thumb drive case. Easy to do. The hardware enumerates as both a thumb drive and, say, a USB audio-device driver that is present on most stock Linux distributions and has a particular buffer overflow vulnerability that allows arbitrary code execution. That sort of vulnerability is reasonably common and has happened in the past. Engineering that hardware is not hard. When the system enumerates the USB audio device, it loads that driver and the driver performs setup by talking to the USB device and requesting information. The evil device sends back responses to the driver that trigger the buffer overflow and execute device-provided code.

You could make this fairly system-independent by putting a number of fake devices in there that exercise different vulnerabilities. Or you could determine what the connecting operating system is (and what drivers it has available) by looking at how it enumerates. You can even have your device use soft reconnects to try out different vulnerable drivers. (You would have the computer-facing port actually connect to a hub. Also easy to engineer up.)

Can that software access your files and ID you over a USB port?

So, yes.

Don't assume that because something looks like a flash drive, it actually is. And don't connect unknown peripherals to your computer -- they talk directly to drivers.

Re:

[Gibgezr]

This is actually something I considered for a moment as I was posting the above message, but tossed aside as being overly paranoid. Yes, a USB-drive-that-isn't-actually-a-USB-drive-but-is-actually-a-tiny-computer, a custom piece of hardware, might be able to find a vulnerability. Normally I'd think the tinfoil hat must be too tight if someone was worried about this, but in recent light of all this NSA spying on the world crap, I guess the option of "the terrorist state has won and I am giving in to fear" is

Re:

[blueg3]

It's already been done many times, in a variety of ways, by researchers (mostly using general-purpose hardware). It doesn't require much paranoia at all.

Re:

[Gibgezr]

I dunno, even in the cases you are talking about (the ones I am familiar with are computer under the table/behind the curtain with "charging cables" for phones etc), I would think that it requires some level of paranoia to say "I shouldn't plug my phone into any charging stations because they might be tracking me". It might be a justifiable level of paranoia, but it is still something that we haven't seen in the wild except as research experiments.

The level of paranoia required to go from that to "better n

Re:

[MickLinux]

Perhaps the easiest and best way to thwart the nsa is to put all your files on a usb, and put it in a dead drop at

NSA
9800 Savage Rd
Fort Meade, MD

Yeah, it might seem pointless. But if ALL 6 billion of us did it...

Re:

[blueg3]

You can whitelist on Linux and Windows systems, too, if you include modifying the driver-loading process. It can be reasonably easily done on either system. But common out-of-the-box OSes have wide-ranging support for drivers that they load automatically.

Re:

[Qzukk]

specifically, USB flash drives are not computers

And you know it's a USB flash drive and not a gumstix or other tiny computer because... the sign said "usb flash drive!!1! plug in here for good porn!!one!" and signs could never lie?

Re:

[Gibgezr]

Possible, yes. Probable? No. I'd love to find out someone was crazy-glueing gumstix to the wall in public places near me, I'd have a nice collection of gumstix for 5 seconds work with a mini pry bar.

but it is a could

[geekoid]

it's just a particularly slow one.

Antarctica doesn't need dead drops...

[babymac]

As a six month veteran of the US Antarctic Program, I can tell you McMurdo Station doesn't need dead drops. There's plenty of file sharing going on pretty much in the open. I attended meetings in the library that would pretty much devolve into file sharing swap meets. I suppose it must have been like the mid-1990s on college campuses. Fun stuff!

Blast that federal shutdown!

[Austrian Anarchy]

http://deaddrops.com/dead-drops/db-map/ [deaddrops.com]
Service Temporarily Unavailable

The server is temporarily unable to service your request due to maintenance downtime or capacity problems. Please try again later.

Additionally, a 503 Service Temporarily Unavailable error was encountered while trying to use an ErrorDocument to handle the request.

No thanks

[nurb432]

1 - God only knows what virus is on that device or if its not just wired to 220 and fry your machine on contact.
2 - Who is watching? It wouldn't be considered entrapment if its the government.

hey INTERNET!

[Anonymous Coward]

we are looking for people who would be interested to bring the deaddrops.com project fwd. things were slow but caught up now again in post snowden era ;) if you know php and are interested to support please get in touch! dev at deaddrops.com
thx!
ARAM (i m the guy in the video ;)

Re:

[zentigger]

The best 99 you will ever spend:

http://www.monoprice.com/products/product.asp?c_id=103&cp_id=10303&cs_id=1030304&p_id=5432&seq=1&format=2 [monoprice.com]

Time to do more in Seattle

[jetcityorange]

I've placed a couple of dead drops here in Seattle (the gum wall @ Pike Place Market & the Fremont Bridge) but both are long gone. Looks like it's an idea whose time has come. Time to plant some more all over town... http://jetcityorange.com/dead-drops/ [jetcityorange.com]

Re:

[drkstr1]

Hello fellow Seattleite. I will keep an eye out for your work. :)

wifi drops

[nurb432]

Those *might* be ok to use. at least then you can scan what you are getting, plus it wouldn't be obvious you are doing it.

Could be possible to use safely

[russotto]

But you're going to need an industrial-strength "USB condom". Data lines optoisolated. Power lines hooked to a battery in the condom. Both data and power lines on the "dangerous" side protected with fuses and overvoltage protection devices. And a microcontroller implementing a filter to make sure it can't pretend to be anything but a block storage device. Feasible, but worth it? I don't think so.

Hardly anonymous

[almechist]

Anyone who thinks this offers some form of anonymity in any way hasn't been paying attention. For instance, the locations are all known, there's a website that lists them all! Anyone interested in exactly who is downloading or uploading what just has to put up a hidden camera to watch the thumb drives.

So, interesting concept, poor execution. Now if the drives were accessible through wireless means, that would be a step towards creating a true dead-drop network. This thing as described is just a stunt. Art project? Yeah, I can believe that.

Small problem

[Hypotensive]

Your anonymity in a dead drop system depends on the dead drop location being known only to you and to the person with whom you want to exchange the secret.

As soon as you publish the location of the dead drop anyone can observe it and you have no anonymity whatsoever.

Re:

[Gibgezr]

This is sneakernet with anonymous strangers. I don't know about you, but that is a new one on me. It used to be I knew who I was getting the floppy disk from.

Re:

[nurb432]

With sneaker-net you knew who you were dealing with, and you took it to them personally. You didn't just lay a grocery bag of anonymous floppies under a park bench.

Re:

[geekoid]

anon sneakernet is still sneakernet

Re:

[Anonymous Coward]

Dear incoherent racist troll:

When you die, you'll have accomplished nothing but making life for others slightly less wonderful than it otherwise would have been. You will have created nothing of lasting beauty, and wasted the only opportunity you'll ever have to do something great. You get one chance at this game of life, and you are losing at it. Badly.

Re:

[SampleFish]

That's actually what I put in mine