Friday, July 27, 2007

In Defense of LimeWire

In an Email not marked confidential one of our campus techs sent this to the campus community:

Beyond the hypothetical risk of P2P software like Skype, apparently LimeWire is a real security problem. Fortunately nothing on my hard disk is as sensitive as those in the Pentagon, but I imagine some information (like student records or the president's correspondence) shouldn't be shared with the world at large.

Gen. Clark: Sensitive Gov't. Documents Exposed by LimeWire
By Scott M. Fulton, III, BetaNews
July 26, 2007, 10:01 PM

In testimony before the House Oversight and Government Reform Committee on Tuesday, Gen. Wesley Clark - the former supreme commander of NATO forces and US presidential candidate, speaking as a board member of and advisor to security software company Tiversa - cited a study by his company revealing that in a period of two hours' search time on the P2P file-sharing system LimeWire, over 200 classified US Government documents were discovered.
...
Later, Clark stated, Tiversa engineers located the entire Pentagon backbone network security infrastructure diagram, which apparently came as part of a package that included a letter from the US Office of Management and Budget warning of the dangers of using LimeWire and other P2P file sharing programs on computers where sensitive or secret documents are stored. The material, it was discovered, was copied from the computer of a single Pentagon contractor, who happened to be a LimeWire user. She didn't share those files intentionally; instead, her local file system was exposed through LimeWire.

The following is my reply to that list: In my opinion it is NOT the existence of LimeWire that is the security issue, it is people who are trusted with secure data that may be either overriding the default security settings in Lime Wire and/or are putting that confidential data into directories that are shared that is the issue. According to a related article in cnet, "Particularly with early versions of file-trading software, new users sometimes accidentally shared the entire contents of their hard drives with the rest of the network. As a result, private information ranging from credit card transactions to banking passwords could be exposed. After pressure from Congress, most file-sharing programs have installed some warning to people to make it clear which directories are being shared, however."

Not using p2p file sharing software does not insure the security of confidential data. For example; I had my laptop stolen last November in a house burglary. The thieves also stole credit cards and bank records. I lost plenty of my own confidential data. Even though I do not often use p2p file sharing software, my personal information was compromised. Physical access is root access to almost all computers.

In the new media class I teach, p2p software is a critical tool for my students to accomplish their academic goals. Using shared p2p file sharing software is an important way students can share legitimate and legal creative commons licensed content they are creating.

University employees need to be aware of their responsibilities to protect confidential data and not blame p2p technology for their own failure to do so. University owned computers containing confidential data should NOT be used for p2p file sharing when doing so is NOT university business. I do NOT think protecting confidential information is taken seriously enough at our school, but the problem in my opinion is not the existence of p2p software, the problem is the lack of training and the lack of focus on the protection of confidential information. The problem, in my opinion, is user error.

Technorati Tags: , , , ,

No comments: