P2P Network Exposes Obama's Safehouse Location

Lucas123 writes "The location of the safe house used in times of emergency for the First Family was leaked on a LimeWire file-sharing network recently, a fact revealed today to members of the House Oversight and Government Reform Committee. Along with the safe house location, the LimeWire networks also disclosed presidential motorcade routes, as well as sensitive but unclassified document that listed details on every nuclear facility in the country. Now lawmakers are considering a bill to ban P2P use on government, contractor networks."

Wow

[GofG]

If it had been leaked by uploading it to a server, would they ban the ftp protocol?

Re:Wow

[Artifakt]

I'm a stupid employee who has access to your tax records (if you pay the corporation I work for to do your taxes). Here's why I need File transfer and web access.

1. I do returns for the normal US income tax, all 50 states and some odder locations (territories, other nations). I send these electronically most times, but some locations still require paper filing. I would need copies of both all the forms and each year's instructions, going back at least 4 years for the Federal individual taxes, and longer for corporate taxes and some others. I guess I could keep copies of all those forms in office for the occasional use, instead of downloading them only for the rare instances they are needed - However, we'd have to literally buy the grocery stores in the same malls as our typical offices to make those 'back rooms' big enough to store all that. There's a reason why Federal forms sometimes have numbers like 9737-F, or Schedule M3 (version for form 1120, hispanic).

2. I research stock basis for customers about 50 times a year - it's incredible how many people don't know what they paid for the stock they just sold. I also have to occasionally determine what the property tax rate in some particular city or county of some other state is, find an employer ID number for one of over three thousand day care centers in our area, get a copy of someone's W-2 from an employer that only posts them through an online aggregator.
      I could probably keep updated local tax tables for 140,000+ locations without the net, but there's a turnover of about 250 new daycare businesses a year in the area I am responsible for, and the average phone contact with one of those results in some idiot who thinks what I am asking for is their sacred duty to protect from me the 'social engineer', instead of something they are legally required to add to their yearly statements to their customers. Being able to get those from the state's website saves us maybe a hundred hours a year and greatly improves chances of our clients managing to file on time.
      Take away the net for daycare contact, and you have two choices. Draconian enforcement of the laws about providing records on time, with all the escalating penalties maximized until any mom and pop business that doesn't bother to learn and follow all the regs is savagely and swiftly driven out of business, or my company and all our competitors raise the fees for filing a child care credit by about 200$ a form.

3. I sort and handle records by SSN, something I personally don't trust when most businesses do it to me and wish I could avoid asking for with my clients. But, in this case, there is no other way for me to do it - I have to collect and give people's SSNs to the government on the forms, so I might as well use them for internal tracking as well. I see all sorts of other data, i.e. bank account numbers for people paying the IRS by direct withdrawal or getting back by direct deposit at the very least, or prescription numbers for controlled painkillers when I prepare some people's schedule As, and recording any of that that isn't absolutlely required or keeping it after it's been used would be even riskier than purging it from the databases after use and keeping the SSNs. I still have to hand carry many documents rather than fax them, even though a lot of federal or state agencies are a lot looser with security than we are and I see faxes into the office that break all sorts of rules.

I need web access to do my job, but that required access is so broad there is no policy you could write to limit that web access that wouldn't hurt some of my clients. I have had to get copies of 1099-MISC's for exotic dancers, Breakdowns of employee related expenses from Game designing companies, and even look at a person's home office over a webcam before. The first year we set a policy that prohibited adult sites, game sites, or webcams, I had to request five exemptions and it would have been higher but most of the customers were willing to go to some trouble to put returns on hold and wait till they hand carried forms instead. Probably most preparers in my district had two or three such problems minimum. We still have a policy, but the exemptions system makes it pretty much swiss cheese.

ban the man

[OrangeTide]

We must ban everything that we don't understand until we can feel safe again.

Re:ban the man

[dirtyhippie]

Congress's reaction is predictable and hilarious, but to be fair, they are only talking about banning P2P use on government computers. I don't have a problem with that. If you are working on government contracts, you should probably have a seperate computer from where you keep your music, porn, etc.

Re:ban the man

[NotBornYesterday]

You say this as a joke, but that's what members of congress are actually talking about. FTFA:

Towns [House Oversight and Government Reform Committee chairman Rep. Edolphus Towns, (D-N.Y.)] said that the file-sharing industry's promises to self-regulate itself had clearly failed. "Specific examples of recent LimeWire leaks range from appalling to shocking," Towns said. "As far as I am concerned, the days of self-regulation should be over for the file-sharing industry."

Saying "the days of self-regulation should be over" is congresscritterspeak for "we're about to regulate another industry", which in this case would be a) bad, b) useless, and c) undeserved. Bad because it would stymie technical development in the US, and useless because said development would then simply take place elsewhere in the world. Undeserved, because Limewire did not attempt to spread US government secrets. Their software was simply the mechanism by which some idiot (presumably a government-employed idiot, but that would be redundant) knowingly or unknowingly loosed this material into the wild.

Other members want the issue investigated by the Federal Trade Commission, the Securities and Exchange Commission and law enforcement authorities. They said that the continued failure by companies such as LimeWire to take more proactive steps to stop inadvertent file-sharing is tantamount to enabling illegal activity resulting from the data leaks.

And how do they propose that Limewire prevent sharers from sharing government secrets? By sending someone to each Limewire installation to make sure the luser configured it correctly? To the power-grabbing, meglomaniacal nanny state committee-rats in congress, here's an idea: clean your own house first. Clamp down on those with the poor judgment to run p2p sharing apps on systems that have sensitive data. Is there a rule against it? No? Make one. Yes? Enforce it. Hell, ban p2p on all govt systems, sensitive or not, and enforce it like the matter of national security it is.

Re:ban the man

[BobMcD]

To the power-grabbing, meglomaniacal nanny state committee-rats in congress, here's an idea: clean your own house first.

You're completely discounting the possibility that this data was planted on LimeWire by the government expressly in order to give them this exact leverage.

Those files could be completely false, for all we know.

People that take action based on this allegation alone are dumb, dumb, dumb.

Re:ban the man

[sbeckstead]

He can go to a computer on the proper network and download it just like the military has to do now. There are darn few uses for P2P that can't be handled better by something else.

Re:ban the man

[hairyfeet]

Exactly. As long as this doesn't turn into a "P2P is bad, we must ban it from the internet tubes" kind of deal I have NO problem with the government madating what can and can't be on your work machine if they are paying your check. This is just common sense, just as no admin with a brain would allow someone to run Kazaa or Limewire on the corporate Intranet. But placing rules (along with penalties) for using an unauthorized application when dealing with high level clearance materials just seems like basic security.

They probably are simply dealing with laws written before the Internet and therefor have no rules against it. And with the government rules and procedures are king.

Re:ban the man

I work for a defense contractor. We have sensitive government data on our networks because of the nature of the work we do, and the only thing we're allowed to do to the internet is make http and https connections through a heavily firewalled and restrictive proxy, so that not only we can't leak stuff out on purpose with filesharing software, but so that commercial software can't phone home and give away something it shouldn't even by accident. Not to mentioned that we sign an NDA when we hire on that explicitly says we (individual employees) will not leak stuff out or through carelessness allow stuff to be leaked out. In my opinion whoever leaked this stuff out onto limewire probably broke several federal laws already on the books and might be looking at jail time.

Re:ban the man

[T+Murphy]

some idiot (presumably a government-employed idiot, but that would be redundant)

As an idiot, I take offense at the notion that I am on the same level as a government employee!

Re:ban the man

[Beardo+the+Bearded]

I work with military ... stuff. When we have a classified or higher document, it doesn't go on our normal computers, like the one I'm using now. It goes on The Secret Computer, which is in its own room, on no networks, and it requires a key, a passcard, and supervision. Things like USB are locked out. It's a secure station. You can't hack it because there's no access to the device. Social Engineering won't work that well because you've got to be vetted every 5 years to maintain your access. Plus, we're all psychologically tested, have credit checks, and are generally very well looked after.

That is for that rare slice of documentation that is classified and is allowed on a computer. It's a nightmare to get a copy of a classified document -- do you think they would allow you to just hit "print" and get a second (or hundredth) copy? These files are very often (and yes, it's 2009) paper only, sent via special channels. You don't just email Secret documents off to whomever has a .mil email address. Generic workstation + classified document = security violation = jail.

Now, the WHOLE ARTICLE IS BULLSHIT

IT IS A PRESS RELEASE BY A COMPANY THAT STANDS TO MAKE MONEY FROM A MONITORING CONTRACT

Things like the nuclear document are just bullshit. If it's sensitive, it's Classified. If it's not sensitive, it's not. The End. If it was sensitive and improperly declassified, then that's a Monumental Fuckup. You can't say "oh noes nukelar secrets on lemonwire! give us teh monitoring contract!" What are the details, mailing addresses?

(Note for the pedantic: I'm using "Classified" as an umbrella term for anything that requires a security clearance because I didn't feel like typing out the various levels of document classification over and over again.)

Re:ban the man

[Bovius]

People that take action based on this allegation alone are afraid.

Fixed that for you. The USA's policies these days are driven primary by blind, largely irrational fear. Although I suppose that could be transliterated into stupidity.

The sad truth is that we have plenty of incompetent people to perform these kinds of blunders without the need for shadow organizations to orchestrate them. Anyone in the government with a will to exact more control over the public has their arms more than full of these kinds of stories.

Re:ban the man

[tchuladdiass]

But they can mandate appropriate data protection procedures for anything that you work on for them. Usually they will point to a standardized security policy and say that you have to pass an audit that meets that policy.

Re:ban the man

[OrangeTide]

Key word is "contracts". If I contract you, I can make all sorts of crazy demands. This happens all the time in the Real World(tm). And can include preventing you from discussing things with third parties. Or requiring certain specific standards including what software you use to design the sewers. As long as there are consideration, there is a pretty wide range of things that are binding in a contract. Of course crazy demands generally reduce the quality of the contract or increase the amount of money necessary to find a taker.

And while generally legal, being overly specific about terms that don't matter is a great way for a bureaucracy to waste money and a tremendous amount of time.

Re:ban the man

[davidphogan74]

A blanket ban on all P2P programs is still overkill, and not at all necessary. Bittorrent programs are P2P by definition, but you're not going to accidentally share a file with them any more than you're going to accidentally install Linux because of them.

Re:ban the man

[Un+pobre+guey]

Of course, if the P2P SW manages to tunnel through using http, you're back on square 1. I know, I know, you have a super duper deep-packet-sniffing sure-fire 100% secure proxy. Uh Huh. Sure.

Not this again...

[mlts]

Its not P2P in itself that is wrong. It is the use. The leaked information could have wound up on a website, blog, or FTP server, and I'm almost sure nobody would be saying that those technologies should be banned.

Re:Not this again...

[gnick]

Still, unless there's some strange and compelling business need, no big business should be allowing employees to run Limewire at work IMO. Especially on government machines with sensitive information. Some P2P may be useful for business purposes. But Limewire?

Re:Not this again...

[MozeeToby]

The issue isn't the P2P per say, it's the fact that many P2P programs make it easy to accidentally mark files for uploading that you don't mean to. A lazy/stupid/uninformed user stands a decent chance of sharing information without even realizing it, I remember trying to explain that to someone in my family way back when Napster was big, that they were sharing all of their documents out over the network because that is where they happened to store their downloaded files and they had marked the folder as one to share, not realizing that it would share files other than those they had downloaded.

Any program that can upload user documents without the user having knowledge of it shouldn't be used on any kind of sensitive system. In my mind, bit torrent is relatively safe from this, since it requires the user to create a torrent and make it available, not the kind of thing that is going to happen accidentally.

Encryption?

[sexybomber]

If the leaked data was so sensitive, shouldn't it have been encrypted, or at the very, very least, password-protected? That seems like a no-brainer.

Information wants to be free

[davidwr]

Information wants to be free.

Especially high-value information.

And?

[Vinegar+Joe]

Biden has already told the press the secret location of the VP's emergency bunker.

http://blog.newsweek.com/blogs/thegaggle/archive/2009/05/15/shining-light-on-cheney-s-hideaway.aspx

Re:And?

[Lazlo+Woodbine]

Years after BBC broadcast it to the world.

LimeWire is to Blame

[atomic_bomberman]

How could LimeWire let this happen? This is just as bad as fork and knife manufacturers who fail to keep fat, dumb people from eating too much.

Not just those in the goverment are stupid...

[sherpajohn]

I heard a "security focal" in a large helpdesk group once tell us that mp3 files were "illegal" and anyone caught with them would be charged and fired.

BAN VERBAL COMMUNICATION!

[popsensation]

Lets ban all means in which people communicate, or at least have the government moderate it. MUAHHAHAHAH

Come on Obama...

[Maltheus]

...surely you've got the cash to just buy the tunes.

Lights, Cameras, Lies

[JackSpratts]

they could have fabricated similar testimony 10, 9, 8, 7, 6, 5, 4, 3, 2, 1 year ago (you pick). oh wait, they did. meanwhile harddrives, laptops and usb drives keep wandering away with impunity & multi gigabytes of really sensitive data. god forbid you encrypt. much easier blame p2p on the house floor in front of the bright lights of the very media cartels who create this artificial drama.

baby and bath water

[zogger]

Some leaks are good though, and necessary for maintenance of a free Republic. They are last ditch efforts by someone who is aware of "clear and present danger" when all else has failed to affect honesty and following the law in whatever bailiwick this person is working in, and usually the leakers are anything but traitors, they can be overwhelming patriots helping to expose the real bad guys and bad stuff. They can help expose government lies and corruption, when the official channels (all the way to *the very top*) are themselves completely corrupt, making any other effort doomed to failure.

    Here's a prime example. This leak was a *really big deal* for my boomer generation and certainly did some good, long range/historically speaking.