The Committee on Oversight and Government Reform conducted hearings yesterday regarding P2P networks and how they are a threat to national security. My initial reaction was one of incredulity that involved expletives and a bit of shouting.
After I calmed down I considered rethinking my position and decided that maybe I should look do a bit of research. I looked that the committees website (http://oversight.house.gov/story.asp?ID=1424) and decided to give them the benefit of the doubt and started reading. They had posted an article on the website detailing their position (http://oversight.house.gov/documents/20070724140635.pdf) so I determined that I should start there.
The upshot of the thing is that P2P networks are a wonderful device to exploit the ignorant and the unwary. Take a look that the article and you will see what I mean. Here is an example.
P2P Security - How Does Sensitive Information Get Exposed?
Current P2P clients allow users to share items in a particular folder and often direct
users to move files to that folder. In normal operation, a P2P client simply writes files
to disk as it downloads them and reads files from disk as it uploads them. There are
several routes for confidential data to get on to the network: a user accidentally shares
folders containing the information; a user stores music and other data in the same
folder that is shared; a user downloads malware that, when executed, exposes files; or
the client software has bugs that result in unintentional sharing of file directories. Of
course it is not necessary for a worm or virus to expose personal or sensitive
documents because many users will unknowingly expose these documents for many
• Misplaced Files – If a file is dropped accidentally into the wrong folder.
• Confusing Interface Design – Users may be unaware of what folders are
being shared or even that they are sharing files. For example, in a user study,
Good and Krekelberg found that the KaZaA interface design contributed to
user confusion over what files were being shared9.
• Incentives to Share a Large Number of Files – Certain programs reward
users for making files available or uploading more files. Some users may
believe they can gain an advantage by sharing their entire hard drives.
• General Laziness on the Part of the User – If a user has a folder such as “My
Documents” with many media folders inside, they may share My Documents
rather than selecting each media folder individually to share, thus exposing
all the other types of documents and folders contained within.
• Wizards designed to determine media folders – Some sharing clients come
with wizards that scan an individual’s computer and recommend folders
containing media to share. If there is an MP3 or image file in a folder with
important documents, that entire folder could be exposed by such a wizard.
• Unaware or forgetful of what is stored on the computer and where.
(especially by other users.) – Users may simply forget about the letter they
wrote to the bank, or the documents they brought home from work.
Similarly, teenagers using P2P may not know what their parents keep on the
• Poor Organization Habits – Certain people may not take the time to organize
their files. MP3s, videos, letters, papers, passwords, and family pictures may
all be kept in the same folder.
Keep in mind this is taken from the posted government position paper on the subject. Basically what the government is saying is that clients of the P2P networks can be careless, clumsy or confused and the result can be the clients data made accessible to a couple of million other clients on the given network. And oh, by the way it’s the fault of the manufacturer of the client software for providing the tools by which the stupid can have themselves so easily exploited.
This is not the committees first time addressing the evils of P2P networks. In October 2003 current chairman Henry Waxman (D-CA) and then chairman Tom Davis (R-VA) were able to pass Government Network Security Act (H.R. 3159) (http://www.securitymanagement.com/library/HR3159_Computer0304.pdf)
This legislation was enacted to require Federal agencies to develop and implement plans to protect the security and privacy of government computer systems from the risks posed by peer-to-peer file sharing. The committee is not getting to the root of the problem, nor will they. The P2P networks are a tool, and for those unwilling to educate and protect themselves to the risks associated with file sharing a dangerous one. Without a small amount of care they can be VERY easily exploited. The government in has wisely sought to do NOTHING about the crux of the issue.
We have people using advanced technologies they don’t understand nor really comprehend, to share files because of the convenience to do so. The problem isn’t the P2P networks, the problem is that people want what they want and are not willing to do the due diligence to protect themselves from abuse.
Congress can look into this all they want. There is no possible legislation that is going to correct the issue. Until congress realizes this issue is about a public refusing to inform and protect themselves hearings such as this one are little more than a masturbatory exercise.