Dead drop "peer-to-peer" file sharing
October 3, 2013 2:07 AM Subscribe
Aram Bartholl created the first file-sharing dead drops as an art project in 2010, but since then the more than 1200 USB dead drops have been installed around the world (28c3 talk, blog). Also, WiFi based dead drops called WiDrops offer better security than USB dead drops, especially for Windows machines, but require power.
As an aside, there are USB condoms for when you wish to charge a device off an unfamiliar USB line, but not transfer data.
As an aside, there are USB condoms for when you wish to charge a device off an unfamiliar USB line, but not transfer data.
USB glory holes?
posted by acb at 2:55 AM on October 3, 2013 [6 favorites]
posted by acb at 2:55 AM on October 3, 2013 [6 favorites]
Do these scream "autorun virus" to anybody else?
posted by Pope Guilty at 3:17 AM on October 3, 2013 [8 favorites]
posted by Pope Guilty at 3:17 AM on October 3, 2013 [8 favorites]
There's a Raspberry Pi image at WiDrops. Since my Pi is just gathering dust, this is kinda tempting.
posted by honestcoyote at 3:27 AM on October 3, 2013
posted by honestcoyote at 3:27 AM on October 3, 2013
Do these scream "autorun virus" to anybody else?
Yes. Even if that's not their intent, that's probably what they'll soon be used for.
posted by Kirth Gerson at 4:10 AM on October 3, 2013
Yes. Even if that's not their intent, that's probably what they'll soon be used for.
posted by Kirth Gerson at 4:10 AM on October 3, 2013
Since my Pi is just gathering dust, this is kinda tempting.
Of course, all it takes is one griefer to connect to it and load it up with child porn and/or al-Qaeda bomb manuals and you (or whoever's electricity it's plugged into) are screwed.
posted by acb at 4:15 AM on October 3, 2013
Of course, all it takes is one griefer to connect to it and load it up with child porn and/or al-Qaeda bomb manuals and you (or whoever's electricity it's plugged into) are screwed.
posted by acb at 4:15 AM on October 3, 2013
Do these scream "autorun virus" to anybody else?
Not to Mac or Linux users. On the other hand, a malicious Mac or Linux trojan labeled simply "DO NOT CLICK ME" will likely be enough to get a large number of people infected, because you're not the boss of me, unknown executable file!
posted by Slap*Happy at 5:07 AM on October 3, 2013 [8 favorites]
Not to Mac or Linux users. On the other hand, a malicious Mac or Linux trojan labeled simply "DO NOT CLICK ME" will likely be enough to get a large number of people infected, because you're not the boss of me, unknown executable file!
posted by Slap*Happy at 5:07 AM on October 3, 2013 [8 favorites]
"If I handed you a USB drive, you'd plug it in. But because it's on the street, it makes us think very differently about it," Bartholl said. "It's a lot about perception."
This is a ridiculous argument. If you hand me a USB drive, I can evaluate whether I think you are trustworthy and/or security conscious. There is no way I can do that to a publicly-accessible drive. I mean, I guess I can, but it will be the default "hell, no" sort of assessment. So, I guess it is about perception....
posted by GenjiandProust at 5:12 AM on October 3, 2013
This is a ridiculous argument. If you hand me a USB drive, I can evaluate whether I think you are trustworthy and/or security conscious. There is no way I can do that to a publicly-accessible drive. I mean, I guess I can, but it will be the default "hell, no" sort of assessment. So, I guess it is about perception....
posted by GenjiandProust at 5:12 AM on October 3, 2013
Cool!! Also, I'm eating a piece of hamburger I found on the sidewalk this morning.
posted by aught at 5:16 AM on October 3, 2013 [11 favorites]
posted by aught at 5:16 AM on October 3, 2013 [11 favorites]
Of course, all it takes is one griefer to connect to it and load it up with child porn and/or al-Qaeda bomb manuals and you (or whoever's electricity it's plugged into) are screwed.
That's probably true, though the existing dead drops and pirate box people don't seem to have too much of a problem. Either that or their boxes are littered with CP and the authorities haven't bothered.
But there does seem to be a decent solution in having the box auto-reject any executable file and all other files go into a private upload folder for moderation before being made public.
posted by honestcoyote at 5:53 AM on October 3, 2013
That's probably true, though the existing dead drops and pirate box people don't seem to have too much of a problem. Either that or their boxes are littered with CP and the authorities haven't bothered.
But there does seem to be a decent solution in having the box auto-reject any executable file and all other files go into a private upload folder for moderation before being made public.
posted by honestcoyote at 5:53 AM on October 3, 2013
"If I handed you a USB drive, you'd plug it in. But because it's on the street, it makes us think very differently about it," Bartholl said. "It's a lot about perception."
Well you'd think that.
posted by jason_steakums at 7:23 AM on October 3, 2013 [2 favorites]
Well you'd think that.
posted by jason_steakums at 7:23 AM on October 3, 2013 [2 favorites]
If you handed me a USB drive and said you found it, I'd try to help the owner by looking into it to see if I could find the owner.
Just because your operating system is stupid and runs things at your privilege level (in other words, it's broken by design) doesn't mean I'm stupid for just being a decent human being and trying to help.
Get a better operating system, and you too can rejoin the ranks of decent human beings who try to help each other out.
posted by MikeWarot at 7:31 AM on October 3, 2013 [1 favorite]
Just because your operating system is stupid and runs things at your privilege level (in other words, it's broken by design) doesn't mean I'm stupid for just being a decent human being and trying to help.
Get a better operating system, and you too can rejoin the ranks of decent human beings who try to help each other out.
posted by MikeWarot at 7:31 AM on October 3, 2013 [1 favorite]
Do Windows flash-drive worms/viruses exist that can infect when Autorun is disabled?
posted by Western Infidels at 7:34 AM on October 3, 2013
posted by Western Infidels at 7:34 AM on October 3, 2013
There is supposedly no autorun facility in Mac OS X, but I've seen .dmg files launch installer applications automatically, which makes me suspicious.
posted by jeffburdges at 7:38 AM on October 3, 2013 [1 favorite]
posted by jeffburdges at 7:38 AM on October 3, 2013 [1 favorite]
The question of security is incorrectly framed in the Windows/Linux/Mac world. It should NEVER be "Do I trust this program?", but should rather be "What resources do I wish to trust this program with?".
If your operating system doesn't let you do that for any given program, you have a broken (by design) operating system, and it's crippling your computer.
posted by MikeWarot at 7:45 AM on October 3, 2013
If your operating system doesn't let you do that for any given program, you have a broken (by design) operating system, and it's crippling your computer.
posted by MikeWarot at 7:45 AM on October 3, 2013
A specially-crafted USB device could also exploit kernel-level bugs. In 2011 such bugs apparently weren't hard to find in Windows or Linux; I didn't see that these researches tried on Mac.
posted by jepler at 7:48 AM on October 3, 2013
posted by jepler at 7:48 AM on October 3, 2013
This is pretty cool. Deal Extreme has USB drives for as little as $5 so a person could blanket an area pretty cheap. I wonder how vandal resistant JB welding a USB drive to a metal pole would be. Because attaching these things to something like that rather than a building seems a bit less antagonistic. Besides we don't have much in the way of brick buildings around here but there are all sorts of publicly owned metal poles around and I bet with a little preparation you could use epoxy to stick these things to a pole without anyone noticing.
posted by Mitheral at 8:33 AM on October 3, 2013
posted by Mitheral at 8:33 AM on October 3, 2013
Given that USB is a network interface, and a USB device is effectively a network host that acts as a server and answers requests, it is possible to program one to get up to all sorts of mischief, from acting as a dishonest storage device (i.e., showing only part of its capacity, or recognising the access patterns of forensic disk imaging and returning falsified data) to aggressively attacking the host machine using DMA commands. So one (with sufficient resources) could fairly easily make a device that looks like a Flash drive, contains no malicious files on its data partition and yet attempts to compromise a host machine.
How easy are those things to develop? You can get USB-hosted microcontroller development boards like the Teensy for about $20 and program them in C to behave like any kind of USB device. Granted they are bulky and have a USB-B connector rather than the USB-A plug, but making something that looks like a flash drive is basically an off-the-shelf microcontroller, a custom PCB and some decent soldering skills away.
posted by acb at 8:33 AM on October 3, 2013
How easy are those things to develop? You can get USB-hosted microcontroller development boards like the Teensy for about $20 and program them in C to behave like any kind of USB device. Granted they are bulky and have a USB-B connector rather than the USB-A plug, but making something that looks like a flash drive is basically an off-the-shelf microcontroller, a custom PCB and some decent soldering skills away.
posted by acb at 8:33 AM on October 3, 2013
I think it'd be even simpler for a USB device to emulate a keyboard or mouse and send malicious commands to the computer it connects to. Every operating system is vulnerable to this.
posted by zixyer at 9:32 AM on October 3, 2013 [3 favorites]
posted by zixyer at 9:32 AM on October 3, 2013 [3 favorites]
aggressively attacking the host machine using DMA commands
No, that particular article is wrong: the USB spec does not include the "DMA direct to host memory" stuff that enables the Firewire DMA attacks.
All the rest though, yes -- if you're writing the device firmware you can certainly make it present as a normal device but act dishonestly.
such bugs apparently weren't hard to find in Windows or Linux
Probably not helped by the fact that host-side USB is also a rats nest of compatibility/quirks fixes for oddball devices that almost-but-not-quite obey the spec.
posted by We had a deal, Kyle at 3:06 PM on October 3, 2013
No, that particular article is wrong: the USB spec does not include the "DMA direct to host memory" stuff that enables the Firewire DMA attacks.
All the rest though, yes -- if you're writing the device firmware you can certainly make it present as a normal device but act dishonestly.
such bugs apparently weren't hard to find in Windows or Linux
Probably not helped by the fact that host-side USB is also a rats nest of compatibility/quirks fixes for oddball devices that almost-but-not-quite obey the spec.
posted by We had a deal, Kyle at 3:06 PM on October 3, 2013
MikeWarot: but should rather be "What resources do I wish to trust this program with?".
This counts on your operating system not having security bugs. Ideally, this would (mostly) be the case, but most Linux distros aren't perfect on this front, and Windows and OSX have had plenty of problems on that front. It's probably a rational decision to say "I don't trust this program as far as I can throw it, so I won't run it at all."
posted by thegears at 6:37 AM on October 4, 2013
This counts on your operating system not having security bugs. Ideally, this would (mostly) be the case, but most Linux distros aren't perfect on this front, and Windows and OSX have had plenty of problems on that front. It's probably a rational decision to say "I don't trust this program as far as I can throw it, so I won't run it at all."
posted by thegears at 6:37 AM on October 4, 2013
I'm happy with this permissions derail so I'll linky the NSA's SE Android project and this :
Taking Back Control of Your Data, With Fine Grained, Explicit Permissions
All this OS level security just only protect against malicious or poorly designed applications though. Ain't so useful if you wish to keep your boss from knowing that your a raver. For that, we'd might attempt to regulate links between online and offline identities. I suppose maybe :
- No site may require real names in publicly accessible data, including third person data like photo tags. So a dating site may require real names that get exposed in private conversations, but facebook cannot require real names so long as a photo tag might become visible publicly. All sites must allow users to change their publicly visible user names, urls, etc. away from their real names if asked.
- Sites with photo tagging must support mass untagging photos. Sites with auto-tagging features must offer an opt-out. Auto-tagging must switch to opt-in if the site detects two users with the same face, etc.
- Sites should not penalize users for merely possessing sock puppets, although violating other site rules is fine.
All that sounds pretty heavy, but ideally people could resolve these problems with SBB
Idea being : Just make yourself a new online identity if you need some privacy.
posted by jeffburdges at 5:31 PM on October 6, 2013
Taking Back Control of Your Data, With Fine Grained, Explicit Permissions
All this OS level security just only protect against malicious or poorly designed applications though. Ain't so useful if you wish to keep your boss from knowing that your a raver. For that, we'd might attempt to regulate links between online and offline identities. I suppose maybe :
- No site may require real names in publicly accessible data, including third person data like photo tags. So a dating site may require real names that get exposed in private conversations, but facebook cannot require real names so long as a photo tag might become visible publicly. All sites must allow users to change their publicly visible user names, urls, etc. away from their real names if asked.
- Sites with photo tagging must support mass untagging photos. Sites with auto-tagging features must offer an opt-out. Auto-tagging must switch to opt-in if the site detects two users with the same face, etc.
- Sites should not penalize users for merely possessing sock puppets, although violating other site rules is fine.
All that sounds pretty heavy, but ideally people could resolve these problems with SBB
Idea being : Just make yourself a new online identity if you need some privacy.
posted by jeffburdges at 5:31 PM on October 6, 2013
« Older Nope Nope Nope | i want my mommy Newer »
This thread has been archived and is closed to new comments
posted by jeffburdges at 2:10 AM on October 3, 2013