Back on July 29, Brian Krebs of the Washington Post, in his “Security FIx” blog, posted a note about large amounts of confidential government data found on peer-to-peer [P2P] file sharing networks. Although the original post was amended later that day to explain that some of the data was out-of-date, or otherwise not quite as sensitive as originally believed, it is still clear that a great deal of confidential information is leaked in this way. The original report was prompted by testimony before the House Oversight and Government Reform Committee, chaired by Rep. Edolphus Towns (D-NY).
It’s now been reported, by the Post and in an article in Ars Technica, that Rep. Towns is planning to introduce legislation to forbid the use of P2P software on networks belonging to the US Government or to government contractors. The reports go on to say that the Congressman’s patience, and that of his colleagues, has been exhausted waiting for the makers of P2P software to “fix” the security problem.
It strikes me that this is a case of solving the wrong problem, a not-uncommon phenomenon in large organizations. The software, after all, is doing what it is designed to do: namely, to share files. Why on earth is this software installed on networks that deal with sensitive information in the first place? In some cases, it appears that the software was installed without authorization by some of the network users. Why are these systems and networks configured to allow ordinary users to install software? This is just lunacy. I have been responsible for large trading-floor networks in the financial services industry, and I can assure you that we would have never dreamed of letting the users install their own software. Is it really necessary to pass an Act of Congress to produce an act of sense by the adminstrators of these systems?
Random Walks 