P2P Network Exposes Obama's Safehouse Location

Lucas123 writes "The location of the safe house used in times of emergency for the First Family was leaked on a LimeWire file-sharing network recently, a fact revealed today to members of the House Oversight and Government Reform Committee. Along with the safe house location, the LimeWire networks also disclosed presidential motorcade routes, as well as sensitive but unclassified document that listed details on every nuclear facility in the country. Now lawmakers are considering a bill to ban P2P use on government, contractor networks."

Wow

[GofG]

If it had been leaked by uploading it to a server, would they ban the ftp protocol?

ban the man

[OrangeTide]

We must ban everything that we don't understand until we can feel safe again.

Re:ban the man

[dirtyhippie]

Congress's reaction is predictable and hilarious, but to be fair, they are only talking about banning P2P use on government computers. I don't have a problem with that. If you are working on government contracts, you should probably have a seperate computer from where you keep your music, porn, etc.

Re:

[Anonymous Coward]

I agree 100%. I don't bring my laptop where I keep my pr0n, music and run my P2P apps, this should be common sense for anyone and this should be twice as apparent for someone working for the gov't.

If I was allowed to have mod points I would have modded you up.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[shaitand]

Well there is some distinction here... government contractors are not government employees. Just because the city contracts me to redesign their sewers doesn't mean they dictate what will be run on my office machines unless they are going to supply machines exclusively for that use.

Re:ban the man

[tchuladdiass]

But they can mandate appropriate data protection procedures for anything that you work on for them. Usually they will point to a standardized security policy and say that you have to pass an audit that meets that policy.

Re:ban the man

[davidphogan74]

A blanket ban on all P2P programs is still overkill, and not at all necessary. Bittorrent programs are P2P by definition, but you're not going to accidentally share a file with them any more than you're going to accidentally install Linux because of them.

Re:

[Bakkster]

Then ban it on any machine with sensitive information. Any machine that needs to push P2P information just can't have sensitive information. QED.

Re:ban the man

[OrangeTide]

Key word is "contracts". If I contract you, I can make all sorts of crazy demands. This happens all the time in the Real World(tm). And can include preventing you from discussing things with third parties. Or requiring certain specific standards including what software you use to design the sewers. As long as there are consideration, there is a pretty wide range of things that are binding in a contract. Of course crazy demands generally reduce the quality of the contract or increase the amount of money necessary to find a taker.

And while generally legal, being overly specific about terms that don't matter is a great way for a bureaucracy to waste money and a tremendous amount of time.

Re:

[GigsVT]

Would you support banning HTTP on government computers too?

Re:

[Freetardo Jones]

Yes. It is their property and they can set whatever rules they want on its use.

Re:

[GigsVT]

It applies to contractor's computers too.

Re:

[contrapunctus]

Maybe they (people responsible for new policy) are thinking computer users that have this data are too stupid to realize what they are sharing when they install p2p software on the same computer that has this data.

Re:ban the man

[Anonymous Coward]

I work for a defense contractor. We have sensitive government data on our networks because of the nature of the work we do, and the only thing we're allowed to do to the internet is make http and https connections through a heavily firewalled and restrictive proxy, so that not only we can't leak stuff out on purpose with filesharing software, but so that commercial software can't phone home and give away something it shouldn't even by accident. Not to mentioned that we sign an NDA when we hire on that explicitly says we (individual employees) will not leak stuff out or through carelessness allow stuff to be leaked out. In my opinion whoever leaked this stuff out onto limewire probably broke several federal laws already on the books and might be looking at jail time.

Re:ban the man

[Un pobre guey]

Of course, if the P2P SW manages to tunnel through using http, you're back on square 1. I know, I know, you have a super duper deep-packet-sniffing sure-fire 100% secure proxy. Uh Huh. Sure.

Re:

[Missing_dc]

I work for a defense contractor as well, and I help clean up/secure data spills frequently. Despite the NDA and high level clearances these guys had to prove they were bland enough to get, they are never punished for the spills. I've seen spills that have affected and inconvenienced a thousand employees, as we confiscate their BBs and PCs and they get to sit and wait while we get new ones prepared, the responsible party never gets punished and sometimes thinks it is funny. I have asked people to leave m

Re:

[nizo]

Mostly I would promote beatings and the pillory for people who put classified information on a computer that is ever connected to the internet. This would be on top of the usual loss of clearances and everything else that would already happen now.

Re:

[KronosReaver]

Perhaps the Internet can just ban the Government instead...

It would be a WIN - WIN Situation

baby and bath water

[zogger]

Some leaks are good though, and necessary for maintenance of a free Republic. They are last ditch efforts by someone who is aware of "clear and present danger" when all else has failed to affect honesty and following the law in whatever bailiwick this person is working in, and usually the leakers are anything but traitors, they can be overwhelming patriots helping to expose the real bad guys and bad stuff. They can help expose government lies and corruption, when the official channels (all the way to *the very top*) are themselves completely corrupt, making any other effort doomed to failure.

    Here's a prime example. [wikipedia.org] This leak was a *really big deal* for my boomer generation and certainly did some good, long range/historically speaking.

Re:

[Gerzel]

And the next time a government contractor wants to get the latest linux distro?

There are other uses of P2P than just porn, music, etc.

Re:ban the man

[sbeckstead]

He can go to a computer on the proper network and download it just like the military has to do now. There are darn few uses for P2P that can't be handled better by something else.

Re:ban the man

[Beardo the Bearded]

I work with military ... stuff. When we have a classified or higher document, it doesn't go on our normal computers, like the one I'm using now. It goes on The Secret Computer, which is in its own room, on no networks, and it requires a key, a passcard, and supervision. Things like USB are locked out. It's a secure station. You can't hack it because there's no access to the device. Social Engineering won't work that well because you've got to be vetted every 5 years to maintain your access. Plus, we're all psychologically tested, have credit checks, and are generally very well looked after.

That is for that rare slice of documentation that is classified and is allowed on a computer. It's a nightmare to get a copy of a classified document -- do you think they would allow you to just hit "print" and get a second (or hundredth) copy? These files are very often (and yes, it's 2009) paper only, sent via special channels. You don't just email Secret documents off to whomever has a .mil email address. Generic workstation + classified document = security violation = jail.

Now, the WHOLE ARTICLE IS BULLSHIT

IT IS A PRESS RELEASE BY A COMPANY THAT STANDS TO MAKE MONEY FROM A MONITORING CONTRACT

Things like the nuclear document are just bullshit. If it's sensitive, it's Classified. If it's not sensitive, it's not. The End. If it was sensitive and improperly declassified, then that's a Monumental Fuckup. You can't say "oh noes nukelar secrets on lemonwire! give us teh monitoring contract!" What are the details, mailing addresses?

(Note for the pedantic: I'm using "Classified" as an umbrella term for anything that requires a security clearance because I didn't feel like typing out the various levels of document classification over and over again.)

Re:

[pixelpusher220]

Personal information is not 'classified', but it is 'sensitive'; so yes it can be the case where data is sensitive but not classified.

You're right on about the press release thing though...my thoughts exactly. When I read "and previously reported the Presidential Helo plans were found online" and other similar things. Maybe we want to look at this company that just *happens* to keep finding things online that help it out business wise. (yes I know the helo plans were traced specifically but just sayi

Re:

[TheCabal]

You sir, are wrong. You have startling amount of misinformation on sensitive document handling. You scare me.

There is no "Classified or higher". It is either classified or it is not. "Classified" is not a classification.

Personally Identifiable Information (PII) is unclassified but considered sensitive, and an official incident is filed when there is possibility that PII has been disclosed. There is also Unclassified Controlled Nuclear Information (UCNI), which by definition is unclassified but sensitive and

Re:ban the man

[NotBornYesterday]

You say this as a joke, but that's what members of congress are actually talking about. FTFA:

Towns [House Oversight and Government Reform Committee chairman Rep. Edolphus Towns, (D-N.Y.)] said that the file-sharing industry's promises to self-regulate itself had clearly failed. "Specific examples of recent LimeWire leaks range from appalling to shocking," Towns said. "As far as I am concerned, the days of self-regulation should be over for the file-sharing industry."

Saying "the days of self-regulation should be over" is congresscritterspeak for "we're about to regulate another industry", which in this case would be a) bad, b) useless, and c) undeserved. Bad because it would stymie technical development in the US, and useless because said development would then simply take place elsewhere in the world. Undeserved, because Limewire did not attempt to spread US government secrets. Their software was simply the mechanism by which some idiot (presumably a government-employed idiot, but that would be redundant) knowingly or unknowingly loosed this material into the wild.

Other members want the issue investigated by the Federal Trade Commission, the Securities and Exchange Commission and law enforcement authorities. They said that the continued failure by companies such as LimeWire to take more proactive steps to stop inadvertent file-sharing is tantamount to enabling illegal activity resulting from the data leaks.

And how do they propose that Limewire prevent sharers from sharing government secrets? By sending someone to each Limewire installation to make sure the luser configured it correctly? To the power-grabbing, meglomaniacal nanny state committee-rats in congress, here's an idea: clean your own house first. Clamp down on those with the poor judgment to run p2p sharing apps on systems that have sensitive data. Is there a rule against it? No? Make one. Yes? Enforce it. Hell, ban p2p on all govt systems, sensitive or not, and enforce it like the matter of national security it is.

Re:ban the man

[BobMcD]

To the power-grabbing, meglomaniacal nanny state committee-rats in congress, here's an idea: clean your own house first.

You're completely discounting the possibility that this data was planted on LimeWire by the government expressly in order to give them this exact leverage.

Those files could be completely false, for all we know.

People that take action based on this allegation alone are dumb, dumb, dumb.

Re:

[NotBornYesterday]

I actually did consider that possibility, either for deceiving foreign intelligence, or for domestic leverage, and/or wag-the-dog type distraction from other events.

People that take action based on this allegation alone are dumb, dumb, dumb.

Yes, I know. This is Congress we're talking about, after all.

Re:ban the man

[Bovius]

People that take action based on this allegation alone are afraid.

Fixed that for you. The USA's policies these days are driven primary by blind, largely irrational fear. Although I suppose that could be transliterated into stupidity.

The sad truth is that we have plenty of incompetent people to perform these kinds of blunders without the need for shadow organizations to orchestrate them. Anyone in the government with a will to exact more control over the public has their arms more than full of these kinds of stories.

Re:

[tkw954]

And how do they propose that Limewire prevent sharers from sharing government secrets?

I propose that all governments send Limewire all their secrets to that a filter can be set up. Since this is likely to be a large file, it is probably easiest if they transfer the data by putting it in their publicly shared folder and then allow the filter maintainers to download it from there.

Re:ban the man

[T Murphy]

some idiot (presumably a government-employed idiot, but that would be redundant)

As an idiot, I take offense at the notion that I am on the same level as a government employee!

Re:

[NotBornYesterday]

My apologies. That was truly insensitive of me.

Re:

[Dragonslicer]

Wait, there's a file-sharing "industry" now?

Re:

[sbeckstead]

This is a very prudent course actually. If I don't understand it and it is obviously being misused like this I want it off my network NOW!

Re:

[interkin3tic]

Suprise: lawmakers are once again clueless when it comes to technical issues that have been around for less than 100 years.

The real question is who is advising them so poorly?

Re:

[Lally Singh]

Mostly poly-sci student interns.

Re:

[thePowerOfGrayskull]

Suprise: lawmakers are once again clueless when it comes to technical issues that have been around for less than 100 years.

The real question is who is advising them so poorly?

Actually, I would say - depending on the final implementation - this may be remarkably clueful. Let me put it in a context that's a little closer to home: I don't want stupid employees with access to my tax records using their PCs to do anything but work. Each additional thing they do increases the chance that going to go and "click on the bunnies", thus ensuring that my data - and yours - is available to whichever botnet claims the machine. So hell yeah - ban all non-governmental use of file sharing. Ba

Re:Wow

[Artifakt]

I'm a stupid employee who has access to your tax records (if you pay the corporation I work for to do your taxes). Here's why I need File transfer and web access.

1. I do returns for the normal US income tax, all 50 states and some odder locations (territories, other nations). I send these electronically most times, but some locations still require paper filing. I would need copies of both all the forms and each year's instructions, going back at least 4 years for the Federal individual taxes, and longer for corporate taxes and some others. I guess I could keep copies of all those forms in office for the occasional use, instead of downloading them only for the rare instances they are needed - However, we'd have to literally buy the grocery stores in the same malls as our typical offices to make those 'back rooms' big enough to store all that. There's a reason why Federal forms sometimes have numbers like 9737-F, or Schedule M3 (version for form 1120, hispanic).

2. I research stock basis for customers about 50 times a year - it's incredible how many people don't know what they paid for the stock they just sold. I also have to occasionally determine what the property tax rate in some particular city or county of some other state is, find an employer ID number for one of over three thousand day care centers in our area, get a copy of someone's W-2 from an employer that only posts them through an online aggregator.
      I could probably keep updated local tax tables for 140,000+ locations without the net, but there's a turnover of about 250 new daycare businesses a year in the area I am responsible for, and the average phone contact with one of those results in some idiot who thinks what I am asking for is their sacred duty to protect from me the 'social engineer', instead of something they are legally required to add to their yearly statements to their customers. Being able to get those from the state's website saves us maybe a hundred hours a year and greatly improves chances of our clients managing to file on time.
      Take away the net for daycare contact, and you have two choices. Draconian enforcement of the laws about providing records on time, with all the escalating penalties maximized until any mom and pop business that doesn't bother to learn and follow all the regs is savagely and swiftly driven out of business, or my company and all our competitors raise the fees for filing a child care credit by about 200$ a form.

3. I sort and handle records by SSN, something I personally don't trust when most businesses do it to me and wish I could avoid asking for with my clients. But, in this case, there is no other way for me to do it - I have to collect and give people's SSNs to the government on the forms, so I might as well use them for internal tracking as well. I see all sorts of other data, i.e. bank account numbers for people paying the IRS by direct withdrawal or getting back by direct deposit at the very least, or prescription numbers for controlled painkillers when I prepare some people's schedule As, and recording any of that that isn't absolutlely required or keeping it after it's been used would be even riskier than purging it from the databases after use and keeping the SSNs. I still have to hand carry many documents rather than fax them, even though a lot of federal or state agencies are a lot looser with security than we are and I see faxes into the office that break all sorts of rules.

I need web access to do my job, but that required access is so broad there is no policy you could write to limit that web access that wouldn't hurt some of my clients. I have had to get copies of 1099-MISC's for exotic dancers, Breakdowns of employee related expenses from Game designing companies, and even look at a person's home office over a webcam before. The first year we set a policy that prohibited adult sites, game sites, or webcams, I had to request five exemptions and it would have been higher but most of the customers were willing to go to some trouble to put returns on hold and wait till they hand carried forms instead. Probably most preparers in my district had two or three such problems minimum. We still have a policy, but the exemptions system makes it pretty much swiss cheese.

Re:

[INeededALogin]

If it had been leaked by uploading it to a server, would they ban the ftp protocol?

That would be espionage. They would be tried for treason.

Re:Wow what a kneejerk.

[LWATCDR]

They are not banning P2P they are banning running it on government PCs and contractors PCs.
Frankly any company that allowed it's employees to put Limewire on a work PC shouldn't be a government contractor.

Re:

[clone53421]

Yeah, because people are too dumb to realize that sharing My Documents might – just maybe – be one of those Very Bad Ideas. Especially since they're also too dumb to realize that that's also where they keep their GF's nudes or their password list.

I've "hacked" into several e-mail accounts, instant messenger accounts, and even a RapidShare premium account by finding people's login details on LimeWire. I didn't do much of anything to cause trouble, other than verifying that the credentials were st

Not this again...

[mlts]

Its not P2P in itself that is wrong. It is the use. The leaked information could have wound up on a website, blog, or FTP server, and I'm almost sure nobody would be saying that those technologies should be banned.

Re:Not this again...

[gnick]

Still, unless there's some strange and compelling business need, no big business should be allowing employees to run Limewire at work IMO. Especially on government machines with sensitive information. Some P2P may be useful for business purposes. But Limewire?

Re:

[Lord Ender]

Some filesharing software shares all of a person's data by default, or at least makes it easy to mistakenly configure it to do so. Most, if not all, filesharing software makes it easy for someone to inject trojaned or backdoored software into the network in such a way that average users cannot distinguish it from legitimate software.

It is a perfectly reasonable security trade-off for an organization to prohibit the use of filesharing software, so long as the term is adequately defined.

Re:

[interkin3tic]

The leaked information could have wound up on a website, blog, or FTP server, and I'm almost sure nobody would be saying that those technologies should be banned.

Don't give them any ideas!

Re:

[Darth_brooks]

You're right, It's not P2P itself. It's the perception of what P2P is. I say P2P here, and we think of torrents for ISO sharing (at least, for legitimate use). Say P2P anywhere else and people think "Oh yeah, that's that program that lets you get free music and shit."

As far as the latter use is concerned, there's no way that stuff belongs on any work related network, government or otherwise. Ban away. Anything legitimately work related can be obtained by other means. What you do at home is not my concerned,

Re:

[PRMan]

Even better. Have a blanket ban on P2P except for a single IT employee that can download things for the IT staff. Problem solved.

Re:

[sbeckstead]

It upsets me when useful iso files are only available by torrent. I have better things to do than spend my time figuring out how not to have my confidential work crap splattered all over the internet. I don't use or install anything torrent related on my work PC and I rarely do at home either I find it's just not that useful to have to sort through all the porn, music files and illegal movie crap splattered all over as it is. Give me a direct download every time and I'm happy.

Re:

[Jugalator]

Its not P2P in itself that is wrong. It is the use.

Of course, I actually don't think they're mistaking themselves there. But rather looking to ban use on gov't networks just so stupid users won't use it incorrectly and share everything they've got.

Re:Not this again...

[MozeeToby]

The issue isn't the P2P per say, it's the fact that many P2P programs make it easy to accidentally mark files for uploading that you don't mean to. A lazy/stupid/uninformed user stands a decent chance of sharing information without even realizing it, I remember trying to explain that to someone in my family way back when Napster was big, that they were sharing all of their documents out over the network because that is where they happened to store their downloaded files and they had marked the folder as one to share, not realizing that it would share files other than those they had downloaded.

Any program that can upload user documents without the user having knowledge of it shouldn't be used on any kind of sensitive system. In my mind, bit torrent is relatively safe from this, since it requires the user to create a torrent and make it available, not the kind of thing that is going to happen accidentally.

its already banned on all government networks?

[Anonymous Coward]

whatever network administrator lets limewire traffic outside of the firewall needs tossed

Re:

[Major Blud]

Man, the jokes are going to start pouring in:

"Now that's government transparency"

"After exposing the location of the vice-presidential bunker earlier this year, Joe Biden also forgot to uninstall Limewire from his netbook"

Re:

[gnick]

My first thought was, how in the world did the Pres get LimeWire running on his BlackBerry?

Encryption?

[sexybomber]

If the leaked data was so sensitive, shouldn't it have been encrypted, or at the very, very least, password-protected? That seems like a no-brainer.

Re:

[Brigadier]

you would be surprised how many white house interns are non brainers

Re:

[Fastolfe]

How do you know it wasn't encrypted and password-protected? You have to decrypt and provide a password to access an encrypted and password-protected volume, right? The problem here is that the moron had Limewire configured to scan for and share everything on his system, including the sensitive stuff. If he did this after he'd opened the encrypted volume, Limewire would have been able to access it like any other file.

Re:

[Freetardo Jones]

Even so, information is leaked by people, not P2P software.

But if they weren't able to run the P2P software in the first place it would have had a 0% chance of being leaked to Limewire.

Information wants to be free

[davidwr]

Information wants to be free.

Especially high-value information.

Re:

[jerep]

Exactly, its the people who keep information for themselves who are the thieves.

We all praise our society for its freedoms but the only free things we have are the choices between hundreds of meaningless entertainments and foods.
I for one welcome our pirate friends who free more and more informations every day.

If i learned how to code through leaked sources, maybe someone will protect the president out of this leaked information.

It never stops.

[arthurpaliden]

People who have no idea of how the Internet or its related technology works making laws to regulate it. Next it will be brief cases becasue sometimes important documents get left in them and then they get lost or stolen.

Re:

[account_deleted]

Comment removed based on user account deletion

Because...

[Darkness404]

Because these documents could never be exposed using HTTP, FTP or a number of other protocols. So of course the answer is to ban P2P.

Re:

[Fastolfe]

There's a subtle difference here, though. When you install an HTTP or an FTP server, it doesn't "helpfully" offer to scan your entire computer for things to share, and publish that information in a search engine. Yes, misconfigured software can expose sensitive data, but in this specific case, the P2P software in question makes it ridiculously easy to accidentally share things you probably do not want shared.

And?

[Vinegar Joe]

Biden has already told the press the secret location of the VP's emergency bunker.

http://blog.newsweek.com/blogs/thegaggle/archive/2009/05/15/shining-light-on-cheney-s-hideaway.aspx [newsweek.com]

Re:

[pluther]

The difference here is that this is the currently used locations, routes, etc., used for the current administration, as opposed to one of the hiding places built for the use of one guy who's no longer in office.

Re:

[Lazlo Woodbine]

Years [bbc.co.uk] after BBC broadcast it to the world.

Re:

[Chris Burke]

Yeah, so the big question for me is where is Obama's safe house? Would it perchance also be directly beneath his regular house?

ZOMG the Presidential Safe House is the basement of the White House?!

Re:

[pluther]

Bethesda leaked that information months ago!

Firewall

[Krneki]

Do they have anyone in charge of the Firewalls in the White house?

And why are they using Windows for security sensitive information?

Yeah, blame P2P, oh and Canada too, just to be sure.

Re:

[jerep]

Personally I blame the government itself. Who needs a secret president hideout when you can just pick the next guy in line to do the same job, its still gonna be the same corporate people making the decisions anyways.

Let me know when...

[Photo_Nut]

Let me know when the government bans all forms of communication...

Until then, the problem with secret information is always going to be a matter of trusting the people who you share the secret. Secret service routes and secret emergency locations are secret for a reason, but this kind of breach of security is not due to the technology used to leek it, but rather due to the people who leaked it.

Rather than going after P2P technology, the government should be looking into who leaked this information and makin

Bans on poorly understood connectivity software

[tgrigsby]

What they're really criminalizing is stupidity. Not P2P per se, but the use of a class of software that, when not properly configured, could give the world access to all your files, including ones that you may not want the world to have access to. And the kind of information on a government computer is can be so sensitive that you can't just make it a matter of policy, punishable by termination; you have to make it a crime.

Someone on here mentioned FTP, and they would be correct that setting up an FTP ser

Before everyone jumps to the defense of P2P...

[jpstanle]

What business do P2P file sharing apps have one government and contractor computers? While I'm sure many will rightfully point out the security through obscurity is rarely effective, and this information could have been leaked through any number of less sexy protocols like FTP, P2P file sharing has no business on government and contractor networks (BTW, when I say contractor networks, I'm referring to those that may contain sensitive or classified information). P2P apps are certainly the most common and ava

"Gov't secrets" is an oxymoron

[nitroamos]

This story is just like Biden revealing the secret bunker. The gov't needs to do a better job keeping secret things which need to be secret. You can't blame the inspector (e.g. P2P) for pointing out holes in your security. I want the First Family to be safe, but I'm unwilling to compromise my liberties to guarantee this (not that this is the proposed solution; I'm just saying).

At least flaws like these in security are being discovered during "peace" time.

Re:

[Bakkster]

As was stated, the specific information may be underclassified. "Sensitive" information does not require a security clearance to view and might be visible to the public network. It is not the same as classified information (Top Secret, Secret, Confidential). Generally, procedures are quite good and classified information rarely finds its way out.

Since this information wasn't a literal "Secret", it didn't have the same security requirements. What is needed now is to improve security of sensitive informa

PsyOps

[bloobamator]

Or it could be good old disinformation. It's hard to believe that the Fed's firewalls allow P2P traffic.

LimeWire is to Blame

[atomic_bomberman]

How could LimeWire let this happen? This is just as bad as fork and knife manufacturers who fail to keep fat, dumb people from eating too much.

Re:

[Chris Burke]

This is just as bad as fork and knife manufacturers who fail to keep fat, dumb people from eating too much.

But they make their products pointy expressly to discourage people from using them!

Get your heads out of your asses

[qoncept]

I read through here and basically saw nothing but a bunch of smart ass comments about other ways documents could be lost or leaked. Great.

Tell me* when the last time you installed software on a briefcase and it automatically indexed all your media and documents, by default, and then broadcast it to millions of other people.

Tell me* when the last time you downloaded [ a linux distro / "something" ] from an ftp server, while in the meantime everyone else connected downloaded all of your media and docume

Re:

[Krneki]

WoW patches its clients via P2P. And it's a serious business for 10M people.

Re:

[Krneki]

I'm talking about P2P. What people use on working computer is the employer concern not mine.

P.S: At work I'm trying to implement an ALLOW system for exe files. So if you want to run an new exe file you need an explicit permission from the tech department. Sadly the management doesn't agree with me.

Re:

[pluther]

What people use on working computer is the employer concern not mine.

If you're an American, in this case the employer is you.

Re:

[clone53421]

the last time you installed software ~ and it automatically indexed all your media and documents, by default, and then broadcast it to millions of other people.

the last time you downloaded "something" ~ while in the meantime everyone else connected downloaded all of your media and documents

the last time you posted ~ accidentally ~ a document containing all your passwords. Shared by default in Limewire.

Never. Certainly not when I installed LimeWire; I'm much too intelligent to let it do that.

Not just those in the goverment are stupid...

[sherpajohn]

I heard a "security focal" in a large helpdesk group once tell us that mp3 files were "illegal" and anyone caught with them would be charged and fired.

Re:

[swilde23]

I worked for the Computer Science department of the state run university where I live, and we sent out an email that sounded something like that... of course, it occurred on the first day of the fourth month. But it was rather amazing how many concerned emails we got in response.

Sensitive but unclassified

[QuoteMstr]

Now that's an oxymoron definition. If it's genuinely important to the nation to keep a document secret, then classify it. If it's not important enough to classify, then it's not important enough to keep from the public. A transparent government is a good government.

ban P2P use on government, contractor networks

[nurb432]

Why stop there? Just ban p2p on the internet. Oh, and any other transfer protocol.

idiots

Sooo...

[ChinggisK]

So where is it?

Oops?

[rgviza]

Wow... Government IT Security is either forced to let nitwits use this stuff, or they are failing their employers horribly.

do we find out how they fucked up this bad?

[jollyreaper]

It's rare that we even hear about Joe Computerguy fucking up by accidentally sharing his homemade porn stash by accident. The only examples I can think of were not accidental at all but jilted boyfriends trying to burn the ex. But ok, I can buy an accidental release -- you store your homemade porn in a default media directory, the p2p app does a scan for shareable media and autoselects it, ok, it's possible. The guy's an idiot but it's possible. But for government shit like this to make it out, the plans fo

Two points...

[rickb928]

1. I was blocking Limewire (and Kazaa, etc.) traffic for clients with substantially less security exposure for years and years. Most P2P networks are just hives of viruses, malware, exploits, illict file sharing, and worse. My clients pretty much expected it. Of course, blocking Webshots gots people a little hot, but they get over it.

2. Any bets that the actual culprit was a security wonk, figuring they were smarter than the rest of the world? Very few of the 'security' folk I've worked with actually practiced what they preached. And most either wandered from job to job, or lasted only until the first noticeable breach. One of my former clients made the news a few months ago, because someone was putting USB keys into their corporate servers. Even the PKI repository. Apparently they thought a free utility they got from a friend at a user group was really useful. Not.

I one were deliberately trying to discredit P2P...

[roc97007]

...one couldn't find a better way to do it than this.

So, where is it?

[Hatta]

Or where was it? It's public information now, and the President sure as hell isn't going to be using it anymore, so what's the harm in telling us?

BAN VERBAL COMMUNICATION!

[popsensation]

Lets ban all means in which people communicate, or at least have the government moderate it. MUAHHAHAHAH

Come on Obama...

[Maltheus]

...surely you've got the cash to just buy the tunes.

Lights, Cameras, Lies

[JackSpratts]

they could have fabricated similar testimony 10, 9, 8, 7, 6, 5, 4, 3, 2, 1 year ago (you pick). oh wait, they did. meanwhile harddrives, laptops and usb drives keep wandering away with impunity & multi gigabytes of really sensitive data. god forbid you encrypt. much easier blame p2p on the house floor in front of the bright lights of the very media cartels who create this artificial drama.

Already controlled for

[KiboMaster]

Someone should introduce Congress to the FISMA [wikipedia.org] act of 2002, which mandates that federal agencies control for this kind of stuff. As part of my work at the DoD I occasionally audit non military systems. In the past this has included systems for the IRS, DHS and FBI. All of them are required to comply with FISMA regulations, specifically NIST 800-53 [nist.gov]. The relevant section, Appendix F Section SA-6 page F-222 (or page 293, for those reading the PDF) states:

The organization controls and documents the use of publicly accessible peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work.

Now, I realize that's highly generic, but it's up to the organizational unit to write some sort of policy around the guidance. If they aren't able to do that, they're not in compliance with FISMA and the GAO should rightly be sticking a rather large boot up their ass [slashdot.org].

Re:

[nizo]

As far as I know, anyplace that has sensitive documents like this has a dedicated security officer. Now picture being that guy, while people you have trained do exactly what you told them NOT to do and put things on every kind of media known to humankind and then inadvertently carry sensitive stuff home and and dump it on their machine running Limewire. Yes USB thumb drives are restricted (some places go so far as to seal USB ports to make sure people don't stick unauthorized drives into the machines) but m

Re:

[INeededALogin]

For the Government to use Limewire... for it to even BE there...

Right.. it was the government that was using Limewire. The government is made of people. People make mistakes... especially when you have as many of them working for you(the US government is the largest employer in the US). Epic fail... I don't think so... 1,000s of companies make this mistake every year.

Re:

[twiddlingbits]

Banks use P2P software but it's over trusted network links and the information is encrypted. What do you think the sevice is that handles wire transfers but a P2P program moving money from one bank account to another electronically according to rules. Data transfers are tightly controlled. So, it's not P2P technology that is the issue, it's using a PUBLIC P2P system where you don't know if the person on the other end is trustworthy and won't pilfer anything you exposed but didn't protect.