File-sharing software ban sought in House

By Paul Kane
Wednesday, November 18, 2009

Weeks after an embarrassing security breach revealed details of dozens of ethics investigations, a House committee chairman introduced legislation Tuesday that would forbid federal employees to use popular file-sharing technology that was involved in the leak.

Rep. Edolphus Towns (D-N.Y.), who chairs the House Oversight and Government Reform Committee, aims to outlaw federal workers from using networks such as LimeWire, through which network members can share computer and music files.

http://www.washingtonpost.com/wp-dyn/content/article/2009/11/17/AR2009111703841.html?wprss=rss_technology

Lol! Can I get an epic fail?

Sounds like a major fail of in-house security & ethics has already happened.

Edit:

Federal employees shouldn't be using P2P on their work issued computers.
+1. Wouldn't the workplace have some system in place already for moving files around internally and some kind of "acceptable use" policy?

Federal employees shouldn't be using P2P on their work issued computers.

Federal employees shouldn't be using P2P on their work issued computers.

i got $20 that says they e-mailed themselves the stuff so they could look/work at home on their own computers.

ohh

forbid federal employees to use popular file-sharing....

gee wiz you had me scared by that title! I thought they were trying to ban file-sharing period! (i do think that would be hard to do lol)

I don't see the problem. This is just a law the government has made to plug a security hole. No need for the scary title!

Federal employees shouldn't be using P2P on their work issued computers.


The Washington Post reported last month on the inner workings of the House Ethics Committee and the Office of Congressional Ethics. The information came from a committee document that a junior staffer had exposed on her home computer, which was using peer-to-peer technology. A non-congressional source with no connection to the committee accessed the document and gave a copy to The Post.

Note the bold. :o

Federal employees shouldn't be using P2P on their work issued computers.

the "work issued" part is the problem here. too many work-a-holics take their work home to unsecured pc's that their kids use to dl music.

If they use linux they could setup a second partition in an encrypted LVM just for work related things.

I don't see the problem. This is just a law the government has made to plug a security hole. No need for the scary title!

+1 - but then rationality and fact do not make for good news reports


I'm almost certain it would be forbidden to transfer any data outside the federal network anyway

+1 - but then rationality and fact do not make for good news reports


I'm almost certain it would be forbidden to transfer any data outside the federal network anyway

forbidden, yes, but by policy, not by law. one results in a trip to HR for a lecturel; the other results in a trip to a criminal court.

Most of the fuss could be avoided if people took more care with what they did with work-related files. Leaving confidential and sensitive material in a publicly-accessible location is just plain careless, and potentially disrespectful to any confidentially agreement the employee might have signed.

The first thing I thought when I saw the subject title, with the capital H, was this:

forbidden, yes, but by policy, not by law. one results in a trip to HR for a lecturel; the other results in a trip to a criminal court.

I don't know much about the US legal system but surely you have something similar to the Data Protection Act which does make it illegal to transfer personal information outside then internal system

I don't know much about the US legal system but surely you have something similar to the Data Protection Act which does make it illegal to transfer personal information outside then internal system

no, despite our bill of rights, American politicians aren't too concerned about protecting the privacy of the citizenry. if they did, the corporations would not be able to buy and sell us.

no, despite our bill of rights, American politicians aren't too concerned about protecting the privacy of the citizenry. if they did, the corporations would not be able to buy and sell us.

Actually, there is something like this, but it requires all data to be protected by it to be classified appropriately. If the data wasn't classified, and the federal employee was permitted to do work from home with unclassified data, then there's no-one the fed can point the finger at but themselves. Firewalls, VPN's, and Virus scanners can only do so much, but at some point the responsibility of data integrity must be passed off to someone responsible for its classification, accuracy, and access.

How are they going to define P2P software?
Is a server capable of both uploading/downloading considered P2P?
Can some old lawmakers who are illiterate about computers even make the distinction?

When file-sharing is outlawed to federal employees, only outlaw federal employees will share files

The proposal is backwards. Rather than make it illegal for a government employee to have P2P software on their *home* computer, make it illegal to store government files on any computer that has P2P software on it.

Wouldn't this be covered under terms of employment or is a law really required?

Actually, there is something like this, but it requires all data to be protected by it to be classified appropriately. If the data wasn't classified, and the federal employee was permitted to do work from home with unclassified data, then there's no-one the fed can point the finger at but themselves. Firewalls, VPN's, and Virus scanners can only do so much, but at some point the responsibility of data integrity must be passed off to someone responsible for its classification, accuracy, and access.

well, "Classified" is common in the millitary and intelligence feilds, but is not really part of the legislative process. documents may be considered secret, but it is not so rigidly formulated as the military clearance process.

Wouldn't this be covered under terms of employment or is a law really required?

It's probably covered to some extent by employment contracts/agreements. When I started work many years ago at an IT company that processed large amounts of financial information, I had to sign a confidentiality agreement; this was long before P2P was widely available to home users.

Federal employees shouldn't be using P2P on their work issued computers.
Federal employees shouldn't be connected to the internet with their work issues computers.

well, "Classified" is common in the millitary and intelligence feilds, but is not really part of the legislative process. documents may be considered secret, but it is not so rigidly formulated as the military clearance process.

I'm using classified as a transitive verb: To arrange in classes. I am not implying classified on its own as a specific level of classification. While that does indeed exist in government, its still accurate to say that if something is "classified", then it has been classified by definition, which is the point I am trying to make.

well, "Classified" is common in the millitary and intelligence feilds, but is not really part of the legislative process. documents may be considered secret, but it is not so rigidly formulated as the military clearance process.

<-- formerly held a federal top secret security clearance.

the classification levels are unified across the Federal government.

"Sensitive but Unclassified" (SBU) - called "For Official Use Only" (FOUO) by the DoD.
Confidential
Secret
Top Secret (including TS-SCI, Special Compartmentalized Information.)
...above this, no level is publicly acknowledged to exist.

SBU is SBU, and Secret is Secret, to any federal employee. individual organizations may have requirements beyond the blanket requirements as to how this data is guarded and whatnot.

SBU is stuff like social security numbers. stuff like what was compromised in this case. unlike the other levels, there are no 'hard' requirements for what kind of safe or what computers it can be processed on, etc. stuff above SBU is codified into law, but SBU/FOUO is done at the levels of the individual organizations via policy.

part of what they are talking about is changing that, so SBU will have laws and not just a myriad of varied policies maintained by each organization.

and it does make sense, to a degree - it is common practice for federal employees to get around the ban on personal thumb drives touching government systems, for example, by e-mailing themselves documents from their govt email to their personal email and then working from home. the whole Sarah Palin scandal when her personal e-mail was cracked and sensitive government documents where found? that was the norm, not the exception.

the problem i foresee: it is inevitable that employees will feel the need to work from home. in theory, employees that need to work from home are already given govt systems to do so on. in theory. budgets dictate otherwise.



you can give all the 'information assurance training' you want to non-techie employees -- nerds will always have the information asymmetry advantage over the rest, and employees will always find ways to work from home on the same computer the teenage kid runs Limewire on.

the solution to this dilemma, IMO, would be to issue employees super locked down dirt cheap netbooks running Linux (the SELinux stuff developed for/by/with the NSA spooks enabled). i nominate Ubuntu LTS to fill that role. teach them to plug a full sized keyboard and display into it, and then they can word process away while at home.

if they can pass a reasonable test on how to securely administer a personal desktop computer securely (something the vast majority of people cannot do), then they get the root and BIOS password to the netbook.

Federal employees shouldn't be using P2P on their work issued computers.

When I was in the Army, a guy in my battalion installed either Ares or bear-shear, cant remember which on a DOD computer. He lost half his pay for 2 months had to do 45 days extra duty, 45 days restriction. Also lost his secret level security clearance, was forced to reclass to an MOS that didn't require a clearance of any kind. not a whole lot of jobs in the US Army that don't need security clearance and not many of them are very desirable.

When I was in the Army, a guy in my battalion installed either Ares or bear-shear, cant remember which on a DOD computer. He lost half his pay for 2 months had to do 45 days extra duty, 45 days restriction. Also lost his secret level security clearance, was forced to reclass to an MOS that didn't require a clearance of any kind. not a whole lot of jobs in the US Army that don't need security clearance and not many of them are very desirable.
In the Navy, some guy (PO3) had Limewire. They changed his bars from Good Conduct to... not good conduct (Gold bars -> Red Bars). As far as I remember, he was required to change his NEC to something that didn't require clearance as well.

re: LinuxFanBoi and Frak

many of the officers in my unit in Iraq weren't happy with IRC to coordinate operations, and for some reason did not think to ask the radio dudes to set up a private radio freq for them to talk on, so they installed skype.

AFAIK, that meant that until this came to light, actual life-and-death decisions where broadcast in the clear to, from, and through Skype's servers.

the fallout for this was minimal. no punishment that i am aware of, and i would be surprised if the higher-ranked field grade officers writing their fitreps even understood the exact risks associated with this...

...the lower-ranked enlisted guy that discovered the skype issue, of course, got his performence ratings done by the guys he busted. so he obviously wasn't about to tell the Genreals.

funny how that works out, huh? :D

Can some old lawmakers who are illiterate about computers even make the distinction?

Probably not. See: net neutrality debate (origin of the "series of tubes" clip).