Dead Drops P2P File Sharing Spreads Around Globe 174
Lucas123 writes "After beginning as an art project 3 years ago in Manhattan to thwart government online spying and offer a physical depiction of our digitally-connected society, a trend of embedding USB thumb drives in walls has caught on and spread to every continent but Antarctica. Dead Drops, as the anonymous P2P files sharing network is called, now has more than 1,200 locations worldwide and has morphed as participants have become more creative in not only where they place the drives, but how they share files, including creating WiFi locations. The thumb drives, which range in size from a few megabytes to 60GB, have allowed people to share music, video, personal photos, poetry, political discourse, or artwork anonymously. Dead Drops creator, German artist Aram Bartholl, said the project is a way to 'un-cloud' file sharing."
Better idea (Score:5, Informative)
While it requires power, something like the PirateBox [daviddarts.com] seems like a safer alternative. It relies on wifi, which means you don't have to be in one physical spot to use it, and you don't run the risk of pluggin your computer into something you can't see. You never know, it could be a 240 volt power line attached to that USB plug.
Ah... Sneakernet. (Score:5, Informative)
Sneakernet [wikipedia.org], for you youngsters, is like the Internet [wikipedia.org], but with more walking [wikipedia.org].
[ Links make things "Informative"... :-) ]
Re:Why yes! (Score:5, Informative)
You're thinking software. Try thinking hardware.
I bet by hooking the other end of the USB up to 220V I could do some pretty nasty things to your computer.
Re:And it never occured to anyone ... (Score:5, Informative)
How do they "load software to track who is downloading"? Do thumb drives now have the capability to execute software on their own?
Sometimes! But let's use an easier attack. Put a thumb drive plus some custom hardware into a thumb drive case. Easy to do. The hardware enumerates as both a thumb drive and, say, a USB audio-device driver that is present on most stock Linux distributions and has a particular buffer overflow vulnerability that allows arbitrary code execution. That sort of vulnerability is reasonably common and has happened in the past. Engineering that hardware is not hard. When the system enumerates the USB audio device, it loads that driver and the driver performs setup by talking to the USB device and requesting information. The evil device sends back responses to the driver that trigger the buffer overflow and execute device-provided code.
You could make this fairly system-independent by putting a number of fake devices in there that exercise different vulnerabilities. Or you could determine what the connecting operating system is (and what drivers it has available) by looking at how it enumerates. You can even have your device use soft reconnects to try out different vulnerable drivers. (You would have the computer-facing port actually connect to a hub. Also easy to engineer up.)
Can that software access your files and ID you over a USB port?
So, yes.
Don't assume that because something looks like a flash drive, it actually is. And don't connect unknown peripherals to your computer -- they talk directly to drivers.