File sharers leak government secrets

Declan McCullagh CBSNews.com | July 29, 2009 11:20 AM PDT

Summary

Government employees who handle sensitive information should not be installing file sharing software. But they are. And that information is readily available for anyone to look up.

Topics

Software, LimeWire, Gnutella, Democrat, P2P, File-sharing, Rep., Peer To Peer (P2P), Internet, file sharing, government, leaks, Declan McCullagh CBSNews.com

Vendor HotSpot

Here to help you with your Document Management Needs

Read the DocuMentor blog now

Learn More »

Sensitive files including Secret Service safehouse locations, military rosters, and IRS tax returns can still be found on file-sharing networks, according to a report issued to a U.S. House of Representatives committee on Wednesday.

In many cases, that's because federal government employees or contractors installed peer-to-peer software on their computers without paying attention to which documents would be shared, Robert Boback, the chief executive of Tiversa, told the panel.

Boback said his company found the Secret Service's evacuation plans for the first lady and motorcade routes. (See an interview with Tiversa about Marine One documents found on a peer-to-peer network this spring.)

That led some politicians to announce that new federal laws were necessary to stop inadvertent file sharing.

"I'm planning to introduce a bill," said Rep. Edolphus Towns, a New York Democrat who heads a House oversight committee. He said his legislation would limit the use of peer-to-peer software on all computer networks operated by the federal government or its contractors.

In addition, the Federal Trade Commission should investigate whether P2P software developers are violating the law, and the Obama administration should "undertake a national campaign to educate consumers about the dangers of file-sharing software," Towns said. (In April, Towns' committee informed the FTC it had reopened an investigation into inadvertent file sharing.)

Rep. Peter Welch, a Vermont Democrat, suggested a similar approach. He wanted to know "whether there's some legal action that should be taken to protect intellectual property, to protect kids from pornography, to protect classified medical information, national security information."

The two-and-a-half hour hearing singled out LimeWire, which is probably the highest-profile P2P client in use today. LimeWire is distributed by Manhattan-based Lime Wire LLC (which sells a more featureful version called LimeWire Pro) and it uses the BitTorrent and Gnutella networks.

Lime Group chairman Mark Gorton tried to defuse some of the criticism, saying "the current version of LimeWire does not share any documents by default," and many security improvements were added in version 5 of the software -- released in December 2008 -- that were absent from version 4.

Gorton also tried to make a more subtle point: the Gnutella network is an amalgamation of scores of different P2P clients, many of which may have different default settings, and LimeWire shouldn't be held responsible for someone's decision to share files using a program written by a different company.

It didn't work. "It is chilling what the public now has available to it," Rep. Towns said. "The idea that you can look at the first lady's information, where she's going, how she's getting there, tax records, things of that nature. ... we need to get to the bottom of this."

Not helping was the fact that Gorton testified at an earlier hearing in July 2007 on the same topic.

"Mr. Gorton, I find your testimony today stunning," said Rep. Paul Hodes, a New Hampshire Democrat. "You promised us two years ago you were going to fix LimeWire."

Replied Gorton: "LimeWire does not control the computers of people around the country."

He added later: "It's not unreasonable to expect that people who install file-sharing software want to share files."

Other suggestions were more extreme. Rep. Bill Foster, an Illinois Democrat who's more technically-inclined than most politicians (he has a doctorate in physics), said that "the nuclear option is to block the Gnutella protocol" on a national basis.

But, Foster acknowledged, that wasn't likely to work. Another option, he said, would be to create a new version of the Gnutella protocol that allowed only limited clients -- that curbed what folders or filetypes could be shared -- to connect to it.

This article was originally posted on CBS News.

Talkback Most Recent of 49 Talkback(s)

Follow via:: RSS; Email Alert

Securing a network...

is a very simple task. However, it does require that the administrator(s) actually be qualified and knowledgeable about their profession. During my 20 years in the technology profession it has become quite obvious that maybe 2 out of 10 professionals are actually qualified to be called professionals. This is why there is so much compromised data and why so many IT projects fail.

They can pass all the legislation they want to but it will not make sensitive data any more secure. Unless the legislation was stringent requirements to get into the IT profession.
bjbrock
29th Jul 2009
- Reply to
- Flag
Amen. And the US Govt uses lowest bid

contractors and low-paid staffers, so they get a pretty low quality of security as a result.
terry flores
29th Jul 2009
- Reply to
- Flag
Agree

I totally agree. Private companies have no problems controlling this, from both a management and tech approach. This is an epic failure on the part of the government's IT folks. The responsibility here should not lay on the P2P apps/networks. This are arguable legit and much less harmless when use personally, but have no place in any office. But such as human nature, people CANNOT take responsibility for their own actions, so a scapegoat must be blamed, and in this case it is Limewire. Awesome!
djmik
29th Jul 2009
- Reply to
- Flag
I second that........

The basics of network security were bypassed completely. I am embarrassed that our government is so stupid. People wonder why I don't trust them to do much of anything and this just puts a rubber stamp on that thought.

Second I can't believe they blame limewire for this. Complete twilight zone moment right there. No don't blame the sys admin or the idiot that installed it, blame limewire, thats the ticket. Politicians are dumber than a box of rocks and we seriously need a complete clean slate of common sense individuals to take their place. FAIL all over this.
OhTheHumanity
29th Jul 2009
- Reply to
- Flag
I agree

It's no ones fault but the people that installed
it on there computer and made files available to
share, and their system administrators for not controlling it.

How dumb of a situation
ingramproductions
29th Jul 2009
- Flag
Yep . . .

If people keep hitting themselves with hammers, don't blame one manufacturer of one brand of hammer!
sporkfighter
6th Aug 2009
- Flag
I take issue with one point ...

"Politicians are dumber than a box of rocks and we seriously need a complete clean slate of common sense individuals to take their place."

I've met many politicians over the years, and most of them are smart, or at least cunning. If you want to point a finger at dummies, then point it at us, the citizens who voted for them.
terry flores
29th Jul 2009
- Flag
True.....

But sometimes you have no choice but to vote for a worthless candidate. As we all know its hard to break the cycles in politics. I think maybe they aren't dumb, but they act like they know things they really do not know which in turn makes them look dumb.
OhTheHumanity
30th Jul 2009
- Flag
Agreed.

We voted them in... We should be able to vote 'em out (unless you believe the conspiracy theories of vote fixing made easier by the new electronic voting.) They are smart and cunning, but out of touch with reality as we citizens contact it. They have aids and others who do most of their computer work, so they haven't bothered to LEARN the real ins and outs. Yepp, they're sly and cunning, AND just about as greedy as any CEO, CIO, CTO, etc. out there. Sadly the good ones don't seem to get as far as they should.

Hey, the media cartels who have offered incentives to them blame the P2P networks for their losses... easy direction to go. Ignore the fact that there are about as many ligit uses for P2P as there is illegal.
DaemonSlayer
6th Aug 2009
- Flag
It also takes the . . .

. . . balls to say "No!" to everyone using the network, form the mail-room flunky to the CEO.
sporkfighter
6th Aug 2009
- Reply to
- Flag
And STILL people whine and complain about DRM!

If those files had been rights-restricted, unauthorized viewing would have been prevented.

When you want to control who can read your data, DRM-it! (I should trademark that ;))

Sigh.
de-void-21165590650301806002836337787023
29th Jul 2009
- Reply to
- Flag
If by DRM, you meant encryption, then yes.

But DRM as a generic information security tool is a joke, especially for text-based information. DRM barely works for mass-distributed files where the files were intended for distribution. It doesn't prevent intelligence-gathering from files that weren't intended for wide distribution in the first place.
terry flores
29th Jul 2009
- Reply to
- Flag
Dumb, Ridiculous Moron

DRM must go. One way or another people will share whatever they want.
KrazdKiller
3rd Aug 2009
- Reply to
- Flag
Your confused this content is not DRM

DRM has nothing to do with something that is not intended for mass distribution. Got it this is private not distributed content. You must mean encryption not DRM.
Altotus
4th Aug 2009
- Reply to
- Flag
Just wait

'til the first leaks come out of Google. They have more information about more people than anybody. It will happen!
jorjitop
29th Jul 2009
- Reply to
- Flag