White House Decides P2P Isn't All Bad?

ethericalzen writes "An article this week at Cnet revealed that the White House doesn't necessarily hate everything about P2P. The Bush Administration apparently has called into question a law, known as the Federal Agency Data Protection Act, that would force all federal agencies to have plans guarding against the risks of P2P file sharing. In a Congressional hearing on IT security threats, the LimeWire founder was questioned about how his service warned users about the files and folders they are sharing. Karen Evans, the chief information officer for the federal government, stated that she was against singling out a particular technology when issuing computer security requirements. As it is the government already has a law which requires federal agencies to report on information security plans and risk assessments known as FISMA."

So let me get this right...

[Guinness2702]

...filesharing is the number 1 threat of leaking sensitive information. Damn, and I wasted all that money on memory sticks, FTP servers, back doors, and searching busses, taxis and trains [bbc.co.uk] trying to get my hands on secret data.

Re:

[Dan541]

Bittorrent is inherently more secure than lime wire,
and a hell of ALOT more secure than idiots losing laptops.

~Dan

Re:So let me get this right...

[iamacat]

In the context of a computer with classified information, P2P filesharing is a form of back door. Unlike Intranet server-based file sharing, the list of available files can not be centrally audited. Unlike FTP or SMB, programs like FireWire make extraordinary efforts to bypass firewalls, even potentially an HTTP-only proxy. Unlike a memory stick, computers can not be physically modified to prevent running P2P (unless you make federal employees use XBOX 360's with up-to-date firmware).

A federal agency blocking LimeWire and BitTorrent is a lot different from Comcast blocking LimeWire and BitTorrent and it's frustrating to see Bush administration going after the wrong thing. Let security-hardened versions of P2P be tried and tested in corporate world and then perhaps it will be ready for government use. I am thinking a version of BitTorrent where clients first share an encrypted file with each other and then get the decryption key and verify checksum from an Intranet server with a known public key.

Re:

[Shade of Pyrrhus]

The number 1 question here is "Why is this computer with classified information connected to the Internet, anyway?". It's VERY easy to "physically modify to prevent running P2P" by simply disconnecting the ethernet cable.

If there is so much of an issue with P2P and such, why are the important systems not in a controlled network with no outside access? In such a case, I would assume it's easier to lose a flash drive with a bit of info, rather than someone physically break into a government controlled faci

Re:

[julesh]

The number 1 question here is "Why is this computer with classified information connected to the Internet, anyway?". It's VERY easy to "physically modify to prevent running P2P" by simply disconnecting the ethernet cable.

Erm... because the people working with the classified information also need Internet access? And I doubt most of them have the information in question on their physical machine anyway, so disconnecting the ethernet cable would prevent them doing any work.

Re:

[Guinness2702]

One further wonders if this is an attempt to create FUD [adequacy.org] about P2P as a whole, and which organisations which are quite snug with the government might be interested in promoting this. But I'm probably just being too cynical now.

Conspiracy Theories

[MyNameIsFred]

I wish everyone who believes in grand conspiracy theories could work in Washington DC for a couple of years. They would then realize that most conspiracies are a load of bull. The vast majority of the government is run by civil servants that are NOT political appointees. And having worked in Washington, if you get a stupid political appointee as a boss, the system has a lot of inertia, and tends to wait them out. Look at the track record for most appointees, based on my experience, most of them don't last four years. A couple of years is normal. Its easy for the bureaucracy to drag its feet for a couple of years. With a new appointee, you get new priorities. Problem solved. That and Washington leaks like a colander. Keeping a secret is impossible.

Re:

[neildiamond]

I know some govt workers and filesharing really boils down to IT policy (and I'm not talk about super-sensitive CIA/FBI stuff). One IT guy I know says he doesn't mind people using things like SSH to get around the company firewall since he does it himself. (Plus, it would be really difficult to stop if you had your home server set to use SSH on a common port such as ftp anyway.) I realize that isn't Limewire, but what company public or private wants employees running Limewire or uTorrent on their deskto

Re:

[ewanm89]

Well, there are companies that distribute files to the public via bitorrent (mostly open source ones).

Re:

[julesh]

I realize that isn't Limewire, but what company public or private wants employees running Limewire or uTorrent on their desktop computers? Is there a major business case for that? If so, I have no idea what it is. It sounds like screwing around to me.

Speaking as the IT director of a private company, we have a machine that runs a bittorrent client in order to download updates for several pieces of software where we have found torrents the fastest and most reliable way of getting updates.

We have also consider

Re:

[gr8scot]

Speaking as the IT director of a private company, we have a machine that runs a bittorrent client in order to download updates for several pieces of software where we have found torrents the fastest and most reliable way of getting updates.

We have also considered using bittorrent with a private tracker as the easiest way of getting large chunks of data to clients.

That's very efficient and probably adequately responsible of you. But, if you had the federal government's resources at your disposal, I would hope you would have the competence to achieve adequate coverage using ssl and an array of government-managed mirror sites, which I think is the sort of redundancy originally seen as DARPANET's strength. P2P is more like redundant vulnerability.

Re:

[julesh]

That's very efficient and probably adequately responsible of you. But, if you had the federal government's resources at your disposal, I would hope you would have the competence to achieve adequate coverage using ssl and an array of government-managed mirror sites, which I think is the sort of redundancy originally seen as DARPANET's strength. P2P is more like redundant vulnerability.

Not all government agencies have the same resources as the high profile ones. Many of them run on inadequate budgets and wit

Re:

[gr8scot]

Not all government agencies have the same resources as the high profile ones. Many of them run on inadequate budgets and with a severe shortage of qualified staff.

I didn't explain my comment very well. My premise was that since they all ultimate report to the same boss [you and me], a single shared non-military federal computing network, modeled after DARPANET but distinct from it, would be the most sensible general solution.

I see no reason why a bittorrent transfer of an encrypted file could not achieve adequate security.

Anything's possible, but based on the news I've read in the past 10 years, and the billions that DDoS, fraud, and FUD have cost, I see no reason to assume that sharing one or more partitions or directories of a government employee's hard drive

Not the "stance" of the Bush administration.

[Anonymous Coward]

This was an off-the-cuff remark made by an individual who is loosely associated with the Bush administration. It is clearly not the stance of the administration, nor of the Republican Party as a whole.

Re:

[Guinness2702]

To be fair, you are quite correct.

FTA: Karen Evans, the federal government's chief information officer, told a House information policy subcommittee ... "While we recognize that technologies that are improperly implemented introduce increased risk, we recommend any potential changes to the statute be technology-neutral,"

Which kinda shoots down my earlier cynical FUD suggestion....in fact everything I've said sofar. I hang my head in shame at missing the key point of the article, and I shall go and start wr

Re:

[calebt3]

"I reject your reality and substitute my own!" --Adam Savage

Email

[Colin Smith]

Peer to peer... The single largest distribution network for files and other information.

This is why government isn't always a good thing.

 

Re:Email

[mixmatch]

As far as I know email is a server-based network. P2P got its name from the ability of clients to connect with each other directly without the use of a server. There are server-like services that assist the clients in finding each other and function as proxies for data, but often-times these also function as clients. By your definition, anything transfered on the Net is peer to peer.

Re:

[ScrewMaster]

The Net is by definition a peer-to-peer network, the whole concept of the data cloud. Packet goes in, packet comes out ... anywhere. Anything else is just a artifice laid upon that, a convenience at best, an obstruction at worst.

Re:

[Niten]

As far as I know email is a server-based network.

But broadly speaking, a "server" is anything that accepts incoming TCP/IP connections. A Bittorrent client is just as much a "server" as Postfix is.

On the other hand, if by "server-based" you meant to emphasize the client-server nature of most modern email systems, keep in mind that in the early days the very mainframe or workstation that you logged into was usually the same computer handling your email. At its inception, email was just as "P2P" as Bittorrent is today.

Re:

[mixmatch]

But broadly speaking, a "server" is anything that accepts incoming TCP/IP connections. A Bittorrent client is just as much a "server" as Postfix is.

Thats why we use the term peer. It replaces the client and server terminology when referring to a program that functions just as much as a client as a server.

Re:

[smurgy]

Bit of a non sequitir. Your point lends itself to the conclusion that communication itself is a bad thing; as long as there is some way to exchange information that exchange will be dangerous for entities wanting to control the dissemination of that information.

Government has nothing to do with it.

Re:

[Jarik_Tentsu]

Sensitive information? You get onto Limewire/BT/Whatever to download Warez and other stuff. How often do you jump on there to grab 'sensitive information'? Most of that is available on FTPs or forums around the net anyway.

~Jarik

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[wronskyMan]

If it's at the Supreme Court, everyone gets sanctioned, without right to a trial, for supporting it. I mean, at that point, how could you argue that they should get their day in court when it is the SCOTUS ruling against their law? Interesting plan, though what if SCOTUS rules in an unconstitutional manner such as Dred Scott, etc. Also, for everyone that recognized the blatant "felony" unconstitutionality of gun laws and political speech restrictions in the campaign finance bill, there were many other peop

Obvious isn't always obvious

[AnotherUsername]

Your obvious unconstitutional gun ban is my obvious constitutional neighborhood safety concern.

While I do agree with most of your points, and I have wished for a similar plan to be enacted, be careful of using the word obvious. What is obvious today as all people having life, liberty and pursuit of happiness only meant white, landowning males at the time of the founding fathers.

Re:

[Anonymous Coward]

Your obvious unconstitutional gun ban is my obvious constitutional neighborhood safety concern.

Yes, because it's been completely demonstrated more than once that gun-free zones are so much safer.

For the gunman doing the shooting, that is.

Re:

[AnotherUsername]

I was not putting forth any personal opinion. I do not wish to get into a gun control argument right now. Personally, I can see both sides.

I was merely pointing out that what is obvious to one is inconceivable to another. To use another 'hot topic': Abortion is completely justifiable and an obvious help to some, but to others, it is obviously murder. Does this clear up any confusion? Is it clear as mud?

Re:

[Henry V .009]

So, all the politicians who had voted for abortion bans before Roe v. Wade should have been arrested for passing unconstitutional laws?

You do realize that Constitution masturbation isn't actually that helpful towards realizing good government? Canada, Britain, etc., all have reasonably free and decent governments despite not having the American constitution. In other words, it's people and culture that make good government, not written constitutions.

Finally, whichever party controls Congress will really

Re:

[Samrobb]

In other words, it's people and culture that make good government, not written constitutions.

So... you're saying we're all doomed, then?

Re:

[maxume]

You would create a world where most people responded to the honor of being elected to office by resigning.

The system we have, which is largely based on good faith between elected officials and their constituents, doesn't always work all that well. You want to place all the blame on the elected officials. If you don't want to blame the constituents, why bother with democracy?

Re:

[Coraon]

everything you have written here makes perfect sense, there just a few problems. 1. the objective of a politician is to get into power and stay there, as long as possible. therefore anything that could remove them from power will be struck down, as they are the ones voting on it. 2. your under the mistaken impression that enough voters care about what happens in government. The Americans have been so brow beat into thinking that their vote doesn't matter, with that much voter apathy I doubt you could get e

Re:

[anexkahn]

I really like the third point you mentioned. Why should we pay congress to go out and campaign....

Re:

[Dhalka226]

) Establish two legal distinctions: misdemeanor and felony unconstitutionality.

You do realize that understanding the Constitution is not the job of the legislature, right? We created an entire third branch of government whose only enumerated power was to interpret the laws (ie eg, Constitution).

I think the best way to achieve a system where less unconstitutional laws go into effect is to require a judicial review for any piece of legislation that, say, 20% of congressmen vote to have one for. No more

Why should they use P2P?

[FrostDust]

I would hope government agencies would be smarter enough than to, and have plans to prevent against, installing P2P applications on their computers. Seeing the reaction of the public to government agents losing laptops containing citizens' valuable personal data, how pleased do you think they would be seeing "Joe Smith's Tax Return.pdf" on Limewire? Most government documents aren't made to be shared amongst a large enough group of people to make P2P usefull in any way. The only acceptible use of P2P in this

Don't Blame Technology

[ilikepi314]

My favorite part was this:

The most scathing criticism came from Rep. Jim Cooper (D-Tenn.), who launched into a lengthy monologue in which he deemed Gorton "one of the most naive chairmen and CEOs I've ever run across," and accused his company of making the "skeleton keys" that grant access to material harmful to U.S. national security.

"I'd feel more than a shade of guilt at this point, having made the laptop a dangerous weapon against the security of the United States," Cooper said. "Mr. Gorton, you seem t

Throttling coming to and end too?

[Kyle Wegner]

If our dear leaders are realizing the importance of P2P, does this mean that in the (relatively) near future they may actually seek to end the BitTorrent throttling by broadband providers (specifically Comcast!)? Here's hoping so!

Fly in the Soup

[MacWiz]

I'm looking at the comments on this page and I have to wonder if anyone remembers what file sharing is at its basic level.

Back in the late 80s, I was the editor of an entertainment supplement that ran in the newspaper in three mid-size towns. We had to use a modem to connect to each other and sometimes we could get a whole 1 kbps transfer rate to move text files. Within the office, file sharing was faster because we could swap floppy disks.

While I know you're all talking about swapping movies, music, games, etc., every corporate environment involves the sharing of information. A newspaper is a real good example of how you have to pull files in from your "peers" to collect and assemble them. Every day.

We spent so long looking for faster ways to move files around and now we've reached the point where this basic function is finally is working so well that we've gotta screw it up.

File sharing/information sharing is the purpose of the Internet. To even consider trying to stop it is ludicrous. You might as well just shut down the entire net because that's the only way file sharing stops. Then we'll just go back to faxes and snail mail.

Should it really be up to the guy that owns LimeWire to tell the government that maybe they shouldn't be using it at work? We have an Intelligence Department, but no one can figure out that, if they are going to use p2p, to do it from a machine with no sensitive information?

Probably not.

After all, most of the government still uses Windows, so security must not be that important to them.

Again, Executive incompetence = more Legislation

[gr8scot]

My favorite part of the article was the hyperlink text at the bottom of page one leading to page two, which suggests two interpretations of the situation that are both completely wrong.

CONTINUED: Blame P2P users or software makers?...

BS. Blame sysadmins who give their end-[L]users Administrator privileges. Not rights, privileges. Government employees don't own those computers, or those data. I do, along with the rest of the taxpayers. Administrator privileges to a government laptop by its daily user are completely inappropriate. Every software package on every government computer should be approved through a bureaucratic process as time-consuming as the worst urban myth about the Motor Vehicle Department and building permits put together. And, this is not uniquely a government problem, it's one of many symptoms of a cultural problem, specifically entitlement mentality. There is no good reason to have administrator access to a computer you have not personally purchased, but I hear a cacophony of pseudo-populist whining whenever I say that to semi-literate, entry-level keyboard operators.

Evidence that sensitive information is accessible through peer-to-peer networks illustrates "the importance of strengthening the laws and rules protecting personal information held by federal agencies" and other organizations, said Rep. Tom Davis (R-Va.), the committee's ranking member, who has sponsored a bill that would impose new requirements on government agencies that discover security breaches. "We need to do this quickly."

You need to do it right, and be sure to include a few clear, simple guidelines preventing -- not just prohibiting -- the installation of software by the end user, by limiting them to Limited User status.