FOUO and File Sharing Software

wuzafuzz · March 01, 2009, 02:38:08 PM

This FoxNews article shows how peer to peer file sharing software can share your secrets without you even knowing about it.
http://www.foxnews.com/politics/elections/2009/03/01/report-pennsylvania-company-discovers-marine-security-breach/

I am stunned that any defense contractor has computers open enough that users can install programs on their computers. Unless this was one of their IT people with admin rights, that seems like a bozo no-no. I work for an insurance company and even our computers are locked down tight enough to prevent that.

So, if you have FOUO stuff on your computer, you might consider whether file sharing software is appropriate for that machine. Granted, our FOUO info isn't exactly top secret, but we have our rules. What about your banking or tax info on that computer? Food for thought.

Eclipse · March 01, 2009, 02:48:38 PM

File sharing as in Morpheus type crap?

If you are stupid enough to load that or its ilk on your machine, especially a CAP-owned machine, you deserve everything you get.

However with that said, I can't imagine why mil-spec networks aren't blocking the traffic out of hand.

wuzafuzz · March 01, 2009, 03:17:09 PM

Quote from: Eclipse on March 01, 2009, 02:48:38 PM
File sharing as in Morpheus type crap?

If you are stupid enough to load that or its ilk on your machine, especially a CAP-owned machine, you deserve everything you get.

However with that said, I can't imagine why mil-spec networks aren't blocking the traffic out of hand.

Agreed. File sharing has been a Moral Leadership topic for our cadets.

openmind · March 01, 2009, 03:36:02 PM

Quote from: Eclipse on March 01, 2009, 02:48:38 PM
File sharing as in Morpheus type crap?

If you are stupid enough to load that or its ilk on your machine, especially a CAP-owned machine, you deserve everything you get.

However with that said, I can't imagine why mil-spec networks aren't blocking the traffic out of hand.

I fully agree on .mil and .mil-contractor networks blocking P2P traffic, whenever possible. It seems like a no-brainer.

However, I would like to remind everyone that, though the press and the lawyers tend to drown it out with their Piracy bashing, there are legitimate and proper and Legal uses for P2P file sharing apps.

In fact, the amount of legal data sharing going on via P2P is surprisingly large. It is only dwarfed by the monumental size of the Illegal/Improper traffic.

So, let's try to separate out the Bad P2P (which should be a Moral Leadership item for cadets as someone already mentioned), and not tar and feather the Good P2P alongside.

As a further discussion point: Remember that some of these data breaches have happened when an employee/service member brought data home on a flash drive to work on their personal machine. We don't merely have to protect the actual Corporate Computers, we need to be sure where we are taking Corporate Data when we work on it on other machines. Even using a loaner laptop from another agency at an ICP could leave data exposed. Again, not so much 'secret' data, though I'm sure USAF would prefer we take the FOUO stuff seriously, but personal info that could be used for identity theft or even financial info that could be used to defraud CAP in some manner.

In the same way that 'Safety is a Culture' in aviation, 'Security is a Culture' in IT. I wish it were easier, but it isn't so we do what we must.

openmind

Eclipse · March 01, 2009, 05:41:44 PM

Sorry - doesn't fly in the media because its simply not true.

There are more than enough straight-forward ways to distribute files versus encrypted, distributed networks that hide a files origins and content.

They were created primarily to distribute illegal content, that's what they are used primarily for, the major networks generally distribute the clients with adware and crapware, and worse, in a lot of cases malware that does unknown things to your machines and files.

The fact that a tiny minority of the user base exchanges files that aren't illegal doesn't change the above, and there are better ways such as Rapidshare, etc., that are "bad enough" without at least requiring local clients, and are far more traceable should there be an issue with content.

As to the breaches, any product, not approved by IT, that contacts an outside service and uniquely identifies itself is a serious security breach and should be blocked. That's what VPN's, SSL, and similar are for.

winterg · March 01, 2009, 08:34:57 PM

I live in the dorms at the University of Wisconsin, Milwaukee and to even use our computer in our room the network automatically performs a scan of our computer to make sure there is no P2P software present. If there is you cannot connect to the internet until it is removed. The university has taken a very hard line on file sharing. I think this is a good thing.

JAFO78 · March 02, 2009, 11:42:24 AM

I saw the same news story. I can safely say we don't use this at our house.

MikeD · March 07, 2009, 05:50:42 AM

There are plenty of legit uses for file sharing software. A lot of open-source or indie software is primarly distributed via Bit Torrent. A lot of Linux distrobutions do it. Also, ReBirth is some music software that's been discontinued, and the company made it a free download, but only by Bit Torrent: http://www.rebirthmuseum.com/index.htm