Dead Drops P2P File Sharing Spreads Around Globe 174
Lucas123 writes "After beginning as an art project 3 years ago in Manhattan to thwart government online spying and offer a physical depiction of our digitally-connected society, a trend of embedding USB thumb drives in walls has caught on and spread to every continent but Antarctica. Dead Drops, as the anonymous P2P files sharing network is called, now has more than 1,200 locations worldwide and has morphed as participants have become more creative in not only where they place the drives, but how they share files, including creating WiFi locations. The thumb drives, which range in size from a few megabytes to 60GB, have allowed people to share music, video, personal photos, poetry, political discourse, or artwork anonymously. Dead Drops creator, German artist Aram Bartholl, said the project is a way to 'un-cloud' file sharing."
Why yes! (Score:5, Insightful)
I'd be happy to plug my netbook / phone / multimedia device into this unknown thumb drive. Why not? I've got anti-virus...
Re: (Score:3)
Re: (Score:2)
Re: (Score:1)
Windmills do not work that way
https://www.youtube.com/watch?v=PmDVHs-juPo [youtube.com]
Re: (Score:2, Insightful)
don't mount the drive as root...
or better yet, use a livecd boot and only mount a small partition you set aside for this.
Re:Why yes! (Score:5, Funny)
Not a thing. I have no idea how I am even making this post.
Re: (Score:2)
Re: (Score:1)
At that point, it has access to all partitions and devices connected to the system, mounted or not.
Re: (Score:1)
Excellent. I've never run any *nix distro that didn't make you go through egregious steps to auto mount anything.
Re: (Score:2, Interesting)
You are blindly trusting that something physically appearing as a "USB key" is a usb storage class device. It could just as easily present some human-interface device endpoints and start injecting keyboard or mouse input to quickly control your computer. Or, it could simply zap your computer with a high voltage surge, potentially by drawing USB power to charge a capacitor...
Re: (Score:1)
You're already wearing a pretty effective condom, it's called not running anything. There's absolutely no reason that the insertion of a storage device should cause your machine to run any of its code. If your OS is doing so it's a lousy OS.
Re:Why yes! (Score:5, Insightful)
Yes, windows blows, but a smart operating system doesn't protect you. A known flaw in the drivers for a USB drive could still allow execution of arbitrary code.
Re: (Score:1)
Yes, windows blows
It blows in many ways, but it's pretty easy to disable this autorun 'feature.'
Re: (Score:2)
A known flaw in the drivers for a USB drive could still allow execution of arbitrary code.
Why hasn't the known flaw been fixed yet if it's a known flaw?
Re: (Score:2)
Time, risk, and value.
Re: (Score:2)
Something like a slightly modified Raspberry Pi with a custom OS that simply pulls all the content and saves it as a drive image that can be scanned and parsed, or maybe just grabs specific files (just image files or pdf files) and ignores all other files. In the end delivering it to another USB drive or an SD card in such a way that it's safe to open from your computer...
(optionally) uploads new content to the USB drive.
This sounds like a fun project, I'll have to start playing around with it. :D
Re:Why yes! (Score:5, Interesting)
You are making a pretty big assumption there that what you are plugging in is actually a storage device. It could easily be a device which shows up as an HID device and plays back a macro. "Alt-F2, 'xterm', Enter, 'rm -rf /', Enter" would be pretty devastating on your secure Linux box which doesn't run anything from removable media.
Just because it looks like a thumb drive, doesn't mean it is one!
Re: (Score:2)
It could easily be a device which shows up as an HID device and plays back a macro.
Could you use an HID device to steal PIN numbers from an ATM machine?
/pedant
Re: (Score:2)
Hint: Acronyms aren't supposed to be expanded inline.
Re: (Score:2)
That's the joke ...
Re: (Score:2)
Yeah, that would be real bad. If you ran the GUI as root like an idiot.
Re: (Score:2)
Or as any other user.
rm -Rf / will be equally devastating to an unprivileged user's data. It just won't leave you with a non-functional computer.
Re: (Score:2)
Re: (Score:2)
would be devastating enough to most folk (and wouldn't require root privs)
There are other things that could happen too: setting up a cronjob/scheduled task for a secure tunnel to a dynamic address or a daemon that regularly downloads new exploit code and attempts to get root/administrator
Re: (Score:2)
You are making a pretty big assumption there that what you are plugging in is actually a storage device. It could easily be a device which shows up as an HID device and plays back a macro. "Alt-F2, 'xterm', Enter, 'rm -rf /', Enter" would be pretty devastating on your secure Linux box which doesn't run anything from removable media.
Just because it looks like a thumb drive, doesn't mean it is one!
You don't an xterm to enter commands in unix/linux. You actually don't even need a shell, but it makes things a little easier.
Re: (Score:2)
Also I'm wondering how long before these drops become 'targets' for law enforcement.
Re:Why yes! (Score:5, Informative)
You're thinking software. Try thinking hardware.
I bet by hooking the other end of the USB up to 220V I could do some pretty nasty things to your computer.
Re: (Score:2)
Or the other way around:
Now that there's a nice centrally-administered map database for all these, what's to stop antagonistic operatives (govt, RIAA, etc) systematically applying portable high voltage flash-zappers to these, rendering them all useless?
Re: (Score:2)
How do you know it's a storage device? It's just something with a USB port that happens to look vaguely like a storage device. But with USB, it's pretty trivial to do something like have that USB device present itself to the system as a storage device, mouse, and keyboard.
There's also no shortage of vulnerabilities in the USB stack. A buffer overflow in a USB driver, for example. This is all handled during enumeration, when (with any operating system), the user has little control over the OS's behavior.
Re: (Score:2)
Every Major OS has the capability.
Re: (Score:1)
You don't know shit about USB rubber ducky.
http://hakshop.myshopify.com/products/usb-rubber-ducky [myshopify.com]
Make your time.
All your base are belong to us.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
I'd be happy to plug my netbook / phone / multimedia device into this unknown thumb drive. Why not? I've got Linux.
Re: (Score:2)
It's not good.
Re: (Score:2)
Oh I dunno, if you get a half decent motherboard it can be pretty good.
Gigabyte GA-Z87X-D3H [gigabyte.com]
At Newegg [newegg.com]
"GIGABYTE Ultra Durable 5 Plus debuts on GIGABYTE 8 Series motherboards, with a range of features and component choices that provide record-breaking performance, cool and efficient operation and extended motherboard lifespan."
"GIGABYTE 8 Series motherboards raise the bar in terms of protecting your sy
Re: (Score:2)
I want to see it take a direct lightning strike.
Re: (Score:2)
Comment removed (Score:4, Funny)
Re: (Score:2)
In contrast I'm not aware of many smallish _electronic_ devices that can take direct lightning hits with zero or minimal damage.
I've seen a modem that probably took a lightning induced surge[1]. Basically some of the copper tracks vaporized and were deposited as small little copper balls on the inside of the modem case. Even the mouse attached to the PC attache
Better idea (Score:5, Informative)
While it requires power, something like the PirateBox [daviddarts.com] seems like a safer alternative. It relies on wifi, which means you don't have to be in one physical spot to use it, and you don't run the risk of pluggin your computer into something you can't see. You never know, it could be a 240 volt power line attached to that USB plug.
Re: (Score:2)
If only there were some sort of pocket-sized device one could use to test for voltage.
Alternative solution: build the thing with the flash drive protruding from a transparent acrylic box/panel.
Re: (Score:3)
Re: (Score:2)
For extra functionallity, we could allow a ratio system where the user must upload a file before being able to download. This might be a problem for people with massive upload speeds. We'd have to introduce some form of throttling too.
I'd like to see a discovery system introduced. It would have
Re: (Score:2)
Re: (Score:2)
Wow, someone that can say "Raspberry Pi" but can't google "file permissions on linux" or umask.
Nice snark there rtard. If a user has permission to "edit" a directory, this includes both editing and deleting files owned by the same user. File permissions or umask will not help you there. I suppose you could rig the system to create a new user for every mac address that connects, but that could be easily circumvented. Im sure it's possible someone, just not as easy as googling how filer permissions work.
Re: (Score:2)
Re: (Score:2)
What a great idea! (Score:5, Funny)
The technological equivalent of having unprotected sex through a glory hole at a Quebec truckstop.
Re: (Score:2)
Without the excitement and swab down the dick later... Yeah, I think I'll pass...
Re: (Score:1)
If you're running a system that is vulnerable to infected USB devices or media files, that's pretty much on you.
Re:What a great idea! (Score:5, Insightful)
If you're running a system that is vulnerable to infected USB devices or media files, that's pretty much on you.
Sigh.. there is no technical reason why a untrusted USB device couldnt present itself as a Human Interface Device (HID - keyboard, mouse, both, ..) and then open up a shell on your *nix box and run arbitrary shell commands.
There is in fact concern that future USB drives will be manufactured to "phone home" using such techniques.
Re: (Score:2)
Re: (Score:2)
It probably wouldn't survive a gunshot coming out of the wall either, but I mean really? People are going to go around wiring 480 volt USB cables?
~S
Re: (Score:1)
Re:What a great idea! (Score:5, Funny)
When trying to depict something as seedy make it French. I didn't make up the rules.
Re: (Score:2)
In this particular instance, having seen the state of many roadside toilets along the highway in Quebec over the years, I agree with the choice. Many are fine, but the filthiest/most run down bathrooms I have ever seen have all been in Quebec (and not just along the highway; the worst hotel bathroom was in Quebec as well...although, to be fair, so was the nicest).
Re: (Score:1)
Was it the same hotel bathroom perchance?
Re: (Score:2)
No, but both hotels were in the same city: Montreal.
Re: (Score:2)
Wait...you're saying that's a bad idea?
Re: (Score:3)
What if the government is doing this to get us to install their spyware?
by analogy - use a dildo (Score:2)
use an offline, disposable computer to read these drives if you want to play the game.
Re: (Score:2)
Booted from a LiveCD.
Ah... Sneakernet. (Score:5, Informative)
Sneakernet [wikipedia.org], for you youngsters, is like the Internet [wikipedia.org], but with more walking [wikipedia.org].
[ Links make things "Informative"... :-) ]
Re: (Score:2)
The latency is hell.
Re: (Score:2)
Re: (Score:2)
We used to drag our machines over to some guys house along with 15-20 other people and just start the copy fest of 360KB disks. It was a bit tedious I suppose but at least the net wasn't faceless then.
~S
Interesting, but... (Score:2)
I don't see how this thwarts government spying. A catalog must be online somewhere, and anything the government is interested in, well, bonus, set up a cam opposite and write down whoever visits. Hell, it makes foreign spying even easier -- just another tourist visiting your country.
Re: (Score:1)
I don't see how this thwarts government spying. A catalog must be online somewhere, and anything the government is interested in, well, bonus, set up a cam opposite and write down whoever visits. Hell, it makes foreign spying even easier -- just another tourist visiting your country.
Resources. The government can come into your house and look in your computer (with an apparently all-too-easy-to-get warrant), but they don't have enough people to do that to all houses everywhere. The same is somewhat true here, they can't physically monitor all dead drops. And we could conceivably put in our own surveillance measures to detect if they physically come to the dead drop location, so we have a chance at knowing if we've been compromised. It's not a cure, it's just returning a little more cont
And it never occured to anyone ... (Score:2)
Another creative ideas from people from children living in their mom's basements who really don't have a clue.
Re: (Score:2)
How do they "load software to track who is downloading"? Do thumb drives now have the capability to execute software on their own? Can that software access your files and ID you over a USB port?
Methinks you don't understand the technologies involved here. Everything to do with computers isn't a computer; specifically, USB flash drives are not computers.
Re: (Score:2)
His point is someone could put software on it, and then when it gets copied to your computer it could report a location.
But the would require someone clicking on an unknown executable or link, and no one would every do that, right?
Re: (Score:2)
OK, so the only people who need to be scared are people that would download a file named "RunMeToMakeFacebookFaster.exe" and execute it...but those folks are already boned by every Nigerian Prince on teh internetz, so I don't worry about them. The government already knows the state of every bit on their computers.
I might be wrong, lord knows who actually uses these things, but it sounded like it was aimed at the sort of paranoid people who worry about the government tracking their files, and wouldn't be sil
Re: (Score:2)
Or and hacked word doc, or an image with an exploit, or a file with a virus.
It's like your knowledge of attack vectors stopped in 1994
Re: (Score:2)
I have been around for a long time, but like I explained, it was more "people paranoid enough to use sneakernet so as to avoid internet tracking are paranoid enough not to open word docs with macros turned on/run exes etc."
Re:And it never occured to anyone ... (Score:5, Informative)
How do they "load software to track who is downloading"? Do thumb drives now have the capability to execute software on their own?
Sometimes! But let's use an easier attack. Put a thumb drive plus some custom hardware into a thumb drive case. Easy to do. The hardware enumerates as both a thumb drive and, say, a USB audio-device driver that is present on most stock Linux distributions and has a particular buffer overflow vulnerability that allows arbitrary code execution. That sort of vulnerability is reasonably common and has happened in the past. Engineering that hardware is not hard. When the system enumerates the USB audio device, it loads that driver and the driver performs setup by talking to the USB device and requesting information. The evil device sends back responses to the driver that trigger the buffer overflow and execute device-provided code.
You could make this fairly system-independent by putting a number of fake devices in there that exercise different vulnerabilities. Or you could determine what the connecting operating system is (and what drivers it has available) by looking at how it enumerates. You can even have your device use soft reconnects to try out different vulnerable drivers. (You would have the computer-facing port actually connect to a hub. Also easy to engineer up.)
Can that software access your files and ID you over a USB port?
So, yes.
Don't assume that because something looks like a flash drive, it actually is. And don't connect unknown peripherals to your computer -- they talk directly to drivers.
Re: (Score:2)
This is actually something I considered for a moment as I was posting the above message, but tossed aside as being overly paranoid. Yes, a USB-drive-that-isn't-actually-a-USB-drive-but-is-actually-a-tiny-computer, a custom piece of hardware, might be able to find a vulnerability. Normally I'd think the tinfoil hat must be too tight if someone was worried about this, but in recent light of all this NSA spying on the world crap, I guess the option of "the terrorist state has won and I am giving in to fear" is
Re: (Score:2)
It's already been done many times, in a variety of ways, by researchers (mostly using general-purpose hardware). It doesn't require much paranoia at all.
Re: (Score:2)
I dunno, even in the cases you are talking about (the ones I am familiar with are computer under the table/behind the curtain with "charging cables" for phones etc), I would think that it requires some level of paranoia to say "I shouldn't plug my phone into any charging stations because they might be tracking me". It might be a justifiable level of paranoia, but it is still something that we haven't seen in the wild except as research experiments.
The level of paranoia required to go from that to "better n
Re: (Score:2)
Perhaps the easiest and best way to thwart the nsa is to put all your files on a usb, and put it in a dead drop at
NSA
9800 Savage Rd
Fort Meade, MD
Yeah, it might seem pointless. But if ALL 6 billion of us did it...
Re: (Score:2)
You can whitelist on Linux and Windows systems, too, if you include modifying the driver-loading process. It can be reasonably easily done on either system. But common out-of-the-box OSes have wide-ranging support for drivers that they load automatically.
Re: (Score:2)
And you know it's a USB flash drive and not a gumstix or other tiny computer because... the sign said "usb flash drive!!1! plug in here for good porn!!one!" and signs could never lie?
Re: (Score:2)
Possible, yes. Probable? No. I'd love to find out someone was crazy-glueing gumstix to the wall in public places near me, I'd have a nice collection of gumstix for 5 seconds work with a mini pry bar.
but it is a could (Score:2)
it's just a particularly slow one.
Antarctica doesn't need dead drops... (Score:4, Interesting)
Blast that federal shutdown! (Score:1)
No thanks (Score:2)
1 - God only knows what virus is on that device or if its not just wired to 220 and fry your machine on contact.
2 - Who is watching? It wouldn't be considered entrapment if its the government.
hey INTERNET! (Score:1)
we are looking for people who would be interested to bring the deaddrops.com project fwd. things were slow but caught up now again in post snowden era ;) if you know php and are interested to support please get in touch! dev at deaddrops.com ;)
thx!
ARAM (i m the guy in the video
Re: (Score:2)
The best 99 you will ever spend:
http://www.monoprice.com/products/product.asp?c_id=103&cp_id=10303&cs_id=1030304&p_id=5432&seq=1&format=2 [monoprice.com]
Time to do more in Seattle (Score:1)
Re: (Score:2)
wifi drops (Score:2)
Those *might* be ok to use. at least then you can scan what you are getting, plus it wouldn't be obvious you are doing it.
Could be possible to use safely (Score:2)
But you're going to need an industrial-strength "USB condom". Data lines optoisolated. Power lines hooked to a battery in the condom. Both data and power lines on the "dangerous" side protected with fuses and overvoltage protection devices. And a microcontroller implementing a filter to make sure it can't pretend to be anything but a block storage device. Feasible, but worth it? I don't think so.
Hardly anonymous (Score:3)
Anyone who thinks this offers some form of anonymity in any way hasn't been paying attention. For instance, the locations are all known, there's a website that lists them all! Anyone interested in exactly who is downloading or uploading what just has to put up a hidden camera to watch the thumb drives.
So, interesting concept, poor execution. Now if the drives were accessible through wireless means, that would be a step towards creating a true dead-drop network. This thing as described is just a stunt. Art project? Yeah, I can believe that.
Small problem (Score:2)
Your anonymity in a dead drop system depends on the dead drop location being known only to you and to the person with whom you want to exchange the secret.
As soon as you publish the location of the dead drop anyone can observe it and you have no anonymity whatsoever.
Re: (Score:3)
This is sneakernet with anonymous strangers. I don't know about you, but that is a new one on me. It used to be I knew who I was getting the floppy disk from.
Re: (Score:2)
With sneaker-net you knew who you were dealing with, and you took it to them personally. You didn't just lay a grocery bag of anonymous floppies under a park bench.
Re: (Score:2)
anon sneakernet is still sneakernet
Re: (Score:1)
Dear incoherent racist troll:
When you die, you'll have accomplished nothing but making life for others slightly less wonderful than it otherwise would have been. You will have created nothing of lasting beauty, and wasted the only opportunity you'll ever have to do something great. You get one chance at this game of life, and you are losing at it. Badly.
Re: (Score:1)
That's actually what I put in mine