The hidden dangers of P2P file sharing
Connecting state and local government leaders
Recent reports of persistent leaks of sensitive Defense Department information through file sharing highlights the risks of peer-to-peer applications that can open up unexpected files to others on the network.
Recent reports that sensitive personnel information about U.S. soldiers has been found on foreign computers highlights the risks of peer-to-peer (P2P) file-sharing applications that can make more data than you realize available to other users on the networks.
It has been known for years that many of the mainline P2P applications can quietly make much more than audio and video files in your shared folder available for downloading by others. This is one of the reasons that the Defense Department has banned unauthorized P2P applications since 2004. But Triversa Inc., which provides services to locate files exposed by P2P file sharing, reportedly has found unauthorized foreign downloads of files about soldiers. The most recent incident, reported last week by the Washington Post, is only the latest in a series of leaks that persist well after the P2P ban.
Everyone knows that P2P networks remove the distinction between client and server, giving other users access to files that you have downloaded and stored in a shared folder. That's why it's called peer-to-peer and file sharing. But apparently this knowledge is not common enough. And what is even less commonly known is that P2P apps can expose almost any kind of data once it gets into your computer.
According to a report from the U.S. Patent and Trademark Office (USPTO) on some of the unsavory features included in P2P file-sharing applications, if a downloaded file is moved out of the shared folder, that file can give most file-sharing applications access to all the data in the new folder as well. If the new folder happens to contain a tax return or old love letters as well as your MP3s and MP4s, all of your peers have access to that, too. Some of the P2P programs included a search wizard that would scour your hard drive for other interesting folders for sharing.
The subject of P2P security caught the attention of former USPTO Director Jon Dudas in 2006 when he was shown some data on file-sharing programs that had gathered for a law review article.
“Because the data seemed to have potentially important implications, I asked the authors to present it in the form of a report,” Dudas wrote in a foreword to the subsequent report. “I conclude that this data should be made known to the public.”
The PTO report focused on five applications: BearShare, eDonkey, KaZaA, LimeWire and Morpheus.
One of the common side effects of participating in P2P file sharing is that of other users on the network sucking up your bandwidth when they are downloading files from your shared folder. After all, the point of P2P is that others can access your files, just as you access theirs. But users who want to eliminate this bandwidth drain often move downloaded files to another folder in an effort to make them unavailable. But in doing this they are merely exposing another folder for sharing. It is like throwing water on a grease fire. Instead of putting it out, it only spreads the problem.
The results are predictable. “By late spring 2005 the Department of Homeland Security reported that government employees using file-sharing programs had repeatedly compromised national- and military-security by 'sharing' files containing sensitive or classified data,” the USPTO report said. And four years later, it apparently still is going on.
So what is the lesson here? Remember what your mother told you all those years ago: Never take candy from strangers, and never accept free software from untrusted sources. You just might end up with a gift that keeps on giving and giving.