|
US p2p study reveals glaring security holes
A study into p2p apps on government systems has revealed glaring security holes.
When a staff group experimented with Kazaa’s Find More from Same User feature, among other 'personal' files they found:
• Military information on chemical warfare
• Correspondence from the office of a state senator to constituents
• Internal correspondence on state political organization
• Sensitive business correspondence, including memos on board of directors decision making
• Navy medical records
They were preparing a report for reps Tom Davis and Henry Waxman, chairman and ranking member of the Committee on Government Reform.
As a result, a mere day after it was introduced yesterday, legislation to guard US federal agency computers against p2p apps was passed by the House Government Reform Committee.
The staff report found:
• Many users of file-sharing programs have inadvertently made highly personal information available to other users. Committee investigators found that file-sharing programs could be used to obtain tax returns, medical records, attorney-client communications, and personal correspondence from P2P users. A search of one P2P network found at least 2,500 Microsoft Money backup files, which store the user’s personal financial records, available for download.
• P2P file-sharing software tested by Committee investigators introduce 'spyware' or 'adware' onto users’ computers. In Committee testing, spyware and adware programs, which collect personal information for marketers, were bundled with file-sharing programs. These spyware and adware programs caused computer difficulties, including increased 'pop-up' advertisements, increased targeted spam e-mail, unusual browser activity, new and unwanted desktop software installations, and, in some instances, software conflicts and system crashes.
• P2P file-sharing software can spread viruses, worms, and other malicious computer files. Computer security experts consulted by the Committee reported that file-sharing programs can place users’ computers at additional
An internet.com report here says instead of banning P2P networks on government computers, a spokesman for Davis said, "We didn't want to be that draconian," going on, "Neither the legislation, the staff committee report nor the Davis spokesman could site how many government computers have P2P software installed.
"The legislation does contains language that states, 'Innovations in peer-to-peer technology for government applications can be pursued on intragovernmental networks that do not pose risks to network security.'
"Davis added, 'File sharing technology is not inherently bad, and it may turn out to have a variety of beneficial applications. However, as our committee has learned, this technology can create serious risks for users. This bill takes a common sense approach to protect the computers and networks of the federal government and the valuable information they contain'."
User Comments
(These do not necessarily reflect the beliefs of this site)
|
independentm...
|
Date: September 26, 2003 @ 10:19 AM
Yes, I don't want our national security sensitive computers to be used at coffee break to share files via unsecure p2p apps. But I ALSO don't want these same computers running microsoft windows...
VERY unsecure!
But the main thrust of this article is another RIAA attack on p2p technology. The RIAA will do ANYTHING to stop the ability of people to share music with other people. They will call p2p a boon to pedofiles, they will call it a boon to terrorists, they will call it anything and everything under the sun to protect their outdated business model. The RIAA can NOT adapt to the fact that they are NO LONGER "needed" for the distribution of recorded music.
Don't fall for RIAA lies and distortions!
Shmoo, of Electric Gypsy
http://electricgypsy.iuma.com
Support Local and Independent Music! |
|
djjayo1
|
Date: September 26, 2003 @ 10:21 AM
Not to be rude but if people are so nieve to put all there files in one folder or directory (aka keeping all their eggs in one basket) That is not our fault if it gets on to p2p.
Do you blame a lock manufacturer for a burglery when you forget to lock your front door to begin with? |
|
wet1
|
Date: September 26, 2003 @ 10:39 AM
Now wait a minute, these are "government computers" meaning most of them are networked. Networks mean system admins. Usually they are setup so that you can not particpate in p2p's so that the company or government is not responcible for the violation of rules. They had to hunt long and hard to find this instance. Very suspicious to me as we all know the RIAA tells the truth at all times... (coughs and hides in case the tomatos start flying) |
|
MikeTwo
|
Date: September 26, 2003 @ 10:42 AM
I hate the way the RIAA is gonna spin this sh*t...but in this instance I can see the point.
(1) - If you're on the job, you really shouldn't be using p2p instead of the office network or sneaker network or whatever...just because it is loaded with adware and spyware and all this other bs that can crash your computer...and because there's nothing I can think of on the networks that you can justify needing on the job. Even music can be downloaded at home and brought in via cd. People are just stupid when it comes to protecting their office computers... so I can see the point here.
(2) - I work for the gov't, and use classified stuff all the time. There is a system already in place to transfer that around securely... so the need for p2p on a sensitive computer is rather moot.
Nevertheless, the fact that federal employees like myself don't need p2p on the job has absolutely NOTHING to do with private home use of p2p whatsoever. So once again the RIAA is pulling a spin. Maybe I should go next door and start throwing rocks at the Capital until someone listens... :)
*sarcasm intended* |
|
purfus
|
Date: September 26, 2003 @ 10:52 AM
Why punish everyone because a bunch of ignorant users do not understand what their computers can do. And yes I agree windows is the biggest security hazard on the majority of PC's. LONG LIVE LINUX And to think that government officials were actually able to install untested apps on computers containing volatile information.... Well thats just sad. Seems to me it is a bit analogis to hiding your car key in your visor. If you do not want your car to get stolen, you dont do that.... |
|
scaldwell1982
|
Date: September 26, 2003 @ 12:07 PM
So the government was using file sharing software. HMMMM shouldn't they get sued by the RIAA. I mean, sure, call it "experimenting", but isn't that all we are doing. Some people call it sharing, some call it stealing, from now on I will call it "experimenting". |
|
JLBRMECHANIC
|
Date: September 26, 2003 @ 12:09 PM
You know what guys? When i first read the article about the music industry's attack on P2P saying that they are a haven for pornography I honestly fell on the floor laughing my ass off. Talk about poeple who live in glass houses and dare to throw stones. They are the biggest peddlers of pornography and worst is that they peddle it directly to our children. As long as Linux remains free and easily modified, Microsoft will always have to worry abgout them. I just wish that the Linux community would make linux just as easy and more automated like Windows. I have a copy of red hat 9 already....very good but unfortunately, the command line is still very much there. I do want other alternatives to Windows and I beleive that in 5 years, Linux will make it's way onto the desktop and will be a formidable foe against Microsoft. Remember Ma Bell? We have many local and national telephone companies competing for our money. the same will be true for Computers. |
|
spikester
|
Date: September 26, 2003 @ 2:08 PM
Linux is foolproof once you learn how to use that command line and everything you can do with it quadruples 10 times over if you care to learn it.
I will continue to laugh at these stories as long as they insist that they have to run M$ Windows on their machines. Nothing is more insecure.
The last story that discusted me was that the computers that ran the database for issuing travelling VISA's got full of worms, which during this time they couldnt issue any VISA's. Yes all these computers ran M$ Windows.
So if they think P2P is a threat to security, then they need to really look at Windows LONG BEFORE they touch P2P. |
|
RaidHHI
|
Date: September 26, 2003 @ 2:36 PM
Hmm. Very Interesting. Don't get me wrong, I have nothing against linux; other then it being used for script kiddy style activities on irc.. But.. aside from that...
The comments about windows being insecure and ignorant users made me laugh; if your windows box has security issues, it could very well be your own ignorance directly causing it.
Take for example, the blaster worm. While windows did indeed have a serious security hole which the worm exploited, proper care of an affected windows nt based pc would still have prevented it. The worm requires access to specific ports; which unless you have a very specific reason to have open, shouldn't be. (The same would apply for linux too of course).
Proper care would have been a firewall, and possibly a router with hardware level firewalling; Only the ports you need for server hosting would be available. It's not the fault of your house if you don't lock the doors and you get burglarized. It's your own.
|
|
metal-man-micro
|
Date: September 26, 2003 @ 2:41 PM
Using Windows has nothing to do with security or a lack of it.
Windows, just like Linux or any OS requires certain procedures to take place before placing it on the Internet. These include shutting down unnecessary services, adjusting security policies, shutting off unneeded protocols, setting up proper access rights, and installing some type of firewall and IDS.
To make blanket comments about Windows being unsecure is ignorant. Linux or any OS can be just as unsecure in the hands of the wrong person. The recent Windows worms mean only one thing, most Windows users don't know how to secure their PC. If a majority of the peeps out there using Windows knew how to lock down their OS, that worm would have gone nowhere fast.
Bottom line is, you lock down and secure the workstation, you don't get burnt, regardless of the OS. |
|
nitedreamerxp
|
Date: September 26, 2003 @ 3:35 PM
But if you read it they want to shield the gov. from being attacked by the RIAA in a sense that some senators kid get in the rap with the RIAA, but in essence I believe gov. subjects should be protected Hmmmmm p2p in gov. |
|
darkened03
|
Date: September 26, 2003 @ 3:46 PM
but guys we need all those people in the government buildings to be running p2p or ftps on their oc3+ connections we pay for it with our tax dollars the people might as well get some benefit out of it
::evil grin:: |
|
Stryker111111
|
Date: September 26, 2003 @ 3:57 PM
Okay, now THAT is a problem. When you can get into government secrets through P2Ps, there has to be something wrong going on.
O.o |
|
tasadar24
|
Date: September 26, 2003 @ 5:07 PM
Has anyone seen Michael Moore's video, Bowling for Columbine?
Can't you just feel it? They are trying to scare us. |
|
shitstick
|
Date: September 26, 2003 @ 5:37 PM
there are probally lots of bugs in linux that have not yet been found. the reason they have found some many things in microsft programs are
1.its much more complicated
2.almost everyone uses it why make a virus or look for bugs for linux or macs when most people dont use them |
|
greatscottpr...
|
Date: September 26, 2003 @ 5:43 PM
BULLSHIT! BULLSHIT! BULLSHIT! THAT'S RIGHT, ALL CAPS!!!! AND ALL LIES!!!!! KISS MY ASS, RIAA! YOUR GAME IS OVER!!!!!
POWER TO THE PEOPLE!!!!
GO :usa:
:viking: |
|
sharefile
|
Date: September 26, 2003 @ 8:46 PM
the reason why most hackers make a virus to attack windows is to put pressure on them in the public spotlight since most people think very highly of microsoft as the do all know it all. the reason why there are no viruses (or very few) for macs and nix machines is that for macs they tend to be fairly secure in that under a semi experienced user they are nearly unhackable and pretty much virus immune.
also the people who have macs actualy think the operating system is good and generaly bug free.
linux on the other hand doesnt get viruses for a few reasons, one just about every hacker that knows anything beyond basic terminal cracking either has linux or thinks very highly of it, to my knowledge there are only 4 viruses for linux but dont work since no machine is the same. also any virus made by microsoft against linux is very quickly reverse engineered and fixed then they tell everyone how to fix.
i know its way far OT but i fealt like i needed to mention this |
|
purfus
|
Date: September 26, 2003 @ 9:31 PM
I can not argue that a deligent user makes an operating system secure. However, historically microsoft products have the most security holes. A really good example of one would be the flaw in Money that would allow anyone on the network (Internet) access to your financial information while you were browsing the web. It's one thing to be a deligent user and stay secure. It is a completely different thing when a deligent user needs to run the most secure firewall they can get and download 52 updates per year to stay safe. How about universal plug and play? That was a great example of microsoft's attention to the details. Sure it could have made life easier. But it would have made life easier for everyone including the hackers. How about the tons of other features XP has just waiting to be exploited. No one ever needed to make a program called Linux-AntiSpy, but I find XP-AntiSpy an essential part to cleaning up a fresh installation of windows. Not to mention a good 20 minutes into the services list. Like I said, I agree that a deligent user is essential to security. But when your trying to make windows secure it is analagis to trying to make a siv hold water. It can be done. Other materials are required to do so. Along with effort on the operator's part. But the average person will not take the effort. Apparently certain members of our government fall into this category. |
|
greatscottpr...
|
Date: September 26, 2003 @ 10:32 PM
EVE OF DESTRUCTION
:sing:The eastern world it is file sharing
Gold and platonium CD’s not sellin
Your old enough to kill but not file sharin
The RIAA IS INTO TERRORISM
HOW CAN THEY KEEP ON ATTACKING ALL OUR CHILDREN!
And ya tell me over and over and over again
R.I.A.A.
Your protecting the artist when YOU’RE JUST BUYING POLITICIANS!!!:2notes:
|
|
cucamOnga
|
Date: September 26, 2003 @ 11:49 PM
The Eastern world, it is explodin'
Violence flarin' ... bullets loadin'
You're old enough to kill, but not for
votin'
You don' believe in war but what's
that gun you're toatin'?
And you tell me over and over and over
Again my friend...
You don't believe we're on the Eve of
Destruction...Barry McGuire |
|
greatscottpr...
|
Date: September 27, 2003 @ 2:08 AM
http://artists.mp3s.com/artist_song/3262/3262281.html
Written by P.F. Sloan |
|
purfus
|
Date: September 27, 2003 @ 10:46 AM
And the RIAA is worried about porn on the P2P networks....
http://ptrads.mp3.com/RealMedia/ads/adstream_lx.ads/www.mp3.com/music/1443223231/TopRight/music/house_mp3_rosskyscraper/RSTrio_vid_120x600B.jpg/38323666353430363366373561323230 |
|
purfus
|
Date: September 27, 2003 @ 10:47 AM
And the RIAA is worried about porn on the P2P networks....
http://ptrads.mp3.com/RealMedia/ads/adstream_lx.ads/www.mp3.com/music/1443223231/TopRight/music/house_mp3_rosskyscraper/RSTrio_vid_120x600B.jpg/38323666353430363366373561323230
Straight from mp3.com..... |
|
goldenpi
|
Date: September 27, 2003 @ 12:24 PM
If p2p is so insecure, why has my own spying - erm, monitoring - only found inboxes full of spam and kids homework. The most confidential information ive managed to get hold of was a financial report from Phizer (sp?), the drugs company, but that came from a hard drive I got from ebay. |
|
Sphere1952
|
Date: September 27, 2003 @ 3:16 PM
Along with running the NSA's OS http://www.nsa.gov/selinux/ shouldn't the government be using Freenet for all its P2P needs?
Letting government employees run KaZaa is just plain stupid. Almost as stupid as letting them run Windows.
|
|
cucamOnga
|
Date: September 27, 2003 @ 8:04 PM
Oh....yeah. I knew that. |
|
purfus
|
Date: September 27, 2003 @ 9:32 PM
ya'know our friggin government has the money they should have their own damn OS.... |
|
newagevampire
|
Date: September 28, 2003 @ 12:49 AM
Well, I see it like this. P2P programs are good for your home PC but Im trying to figure out WTF someone working for the govt. would need with it. Makes you wonder what we are paying taxes for. I guess maybe somebody like Clinton would like to download a little Sinatra to go with his Cigar, LOL. |
|
darknite9
|
Date: September 29, 2003 @ 11:22 AM
On the OS security issue, Yes there are things that can be done to make windows slightly more secure.
The big problem is, the majority of computer users are not systen admins or security experts.
MS ships windows with all of the security features turned off be default. A new windows system out of the box is completely vunerable. MS doesn't even include a warning that security should be enabled. Add to that the fact that MS code across all products allow any .exe or script to run without even asking user permission and you have a security nightmare.
Linux, Unix or Mac OSX could be made equally unsecure if all security measures were turned off be default, and anything was allowed to run without any user interaction of knowledge. At least OSX comes out of the box with root disabled and all security features turned on by default
Thanks Billy G! |
|
|
Navigation
