Comments on: Q&A: Tiversa co-founder talks about P2P leak

Company CEO, Sam Hopkins, on how government blueprints and avionics for President Obama's helicopter wound up at an IP address in Tehran.

[adamfisk]

Oh my god, this guy is a complete snake oil salesman, and everyone's buying. I wrote a good deal of the code for LimeWire, and I've watched these jokers in their senate hearings for years. This is about drumming up business for Tiversa, not about national security or file sharing networks. Let's break down what he's really saying:

1) We found these documents on Gnutella in Iran (of course it's Iran, right?). They're likely all over the world, but you picking Iran will make this guy the most money.
2) We actually have no idea how they got on the network (there literally is no way for them to know), but let's go with the idea that an employee installed a p2p application, because that's our entire business, and we've been working on demonizing p2p for years now.
3) Everyone needs to contract with us right away to protect their networks.

For this to happen, someone, somewhere has to intentionally publish this file. This guy repeatedly makes it sound as if just installing a file sharing program exposes your entire hard drive. Wrong. Someone *intentionally published this*, that's just how it works, and it's even more disturbing. His "buggy clients" thing is total BS, and he knows it. So frustrating these scheisters (sp?) make a living at all.

If you want to secure your networks, folks, talking to this joker is not the path you want to take.

-Adam Fisk

[servermaker]

Coop: what's your professional opinion about the extent of this sort of thing?
Hopkins: This is the biggest security problem of all time.

someone needs to help this poor guy before they let him talk to the press again...

[youreallfunny]

During his campaign, Obama stated it was more important to fix the economic crisis than buy new helicopters for the President. Recently, he said he didn't see the need for new helicopters, that the current ones seemed fine. He quipped "then again I've never had a helicopter before". I think an easy way to justify spending hundreds of millions on fancy new helicopters in the midst of economic turmoil is to do it in response to a security breach regarding your current fleet. I'm not even a conspiracy theorist but I think this is painfully obvious. Unfortunately most people are too stupid to connect these dots. Obama also enjoys taking Air Force One for 150 mile rides. I'm glad we're able to provide our President with such wonderful toys at our collective expense all in the name of "security". Please pass the Kool Aid.

[servermaker]

you're real funny, but you are not sending a message of hope.

[factsright]

There's no conspiracy. You're the idiot for not getting your facts straight. Upgrading President Obama's helicopter was inherited by the Bush administration in response to 9/11. Just google it.

[sp33dyf33t]

wow this is fantastic.... i think this author put it right
http://www.ffwtech.com/?p=177

[simon09]

hey who cares if obama wants to upgrade his helicopter anyway, he's about to save the entire US from financial meltdown and cut the deficit in half - would you rather obama's copter go down and loose him altogether - that'd cost you about 5 trillion more dollars - i say * it - he should upgrade his mini bar on that heli and have a well earnt drink too!

[Commander_Spock]

Gee Whiz... Do ya all wanna bet that things like these do not happen with the OS/2 Machines in Russia. Got to find out anyway (now that Siberia is warming up) where the folks who "slip up" where Russian "Military Secrets" are concerned are sent to.

"Peer-To-Peer" in OS/2 must be really damn good; and, the "Russians" may have known about this all along; thus, providing compelling reasons to rely on it for their Carrier Rockets' Launches!!!

Go The Smart Way Like The Russians, Go OS/2!

[3rdalbum]

"Everyone uses P2P. Everyone."

Snake oil salesman.

[Joliet555Y]

@ AdamFisk:

"Oh my god, this guy is a complete snake oil salesman, and everyone's buying. I wrote a good deal of the code for LimeWire"

Oh really? Go to Limewire or any other P2P client... Restrict your search to "documents"... Type in some keywords "tax" "tax return" "passwords" "credit report" "strategy", "bank', "banking", etc. Within minutes you'll have dozens of PDF files of people's personal tax returns, banking information, etc. In many cases you'll be in a queue behind several others downloading the information. Maybe Limewire's 5.0 will take care of this, maybe it won't. P2P has been promising to fix this for years, but they don't because it's not a priority for them.

The security vulnerabilities are very real my misinformed friend. If you wrote the code you should know that. I know it's inconvenient for the P2P companies to admit this, and for the P2P users who are using the client to ILLEGALLY download movies, games, tv shows, software, etc.

See the story on NBC last night. Family had their identity stolen because their girls were downloading music off of P2P. The thief stole their $2000 tax refund check when he got ahold of their SSN. The money was going to the girls' college fund... Too bad for them. I guess their IS a cost after all to using these services.

[Meg_Whitman]

Yeah, Adam I was thinking the same thing. A plant. Conveniently Iran. Or, someone is laying the foundation for something a lot more sinister. That, ultimately, is my concern.

[Sam_Hopkins]

Adam,

I just wanted to follow up and maybe educate you on this security threat. 500 million people have installed a software product that shares the files on their computer system with millions of individuals. Confidential information is exposed via P2P for a plethora of reasons. Whether it is buggy software, a child selecting the C: drive as the share, or a virus resetting the shared folder to the entire drive - it can, does, and is happening. There are plenty of well published examples of P2P security breaches, some including LimeWire. You can find them by doing a search on the web. Secondly, we know for a fact that malicious and terroristic individuals and foreign governments are actively downloading this information. An example of this is the Marine One breach that you are commenting on. If you?d like a domestic example, do a search for ?Gregory Kopiloff?, an identity thief who used LimeWire P2P software to download tax returns of unsuspecting individuals and used this information to commit crimes. Don?t take my word for it though. Take the word of leading security experts such as US-CERT and Gartner, or maybe read the SANS Top 20 Security Risks report.

In answering your specific break down statements:

1. Are you saying that President Obama?s helicopter plans in Iran is not cause for alarm? Would it make a difference if the plans were in the hands of a malicious person in Washington DC? I think you are really missing the point here. While I would love for these plans to have been in the hands of a 9 year old in Idaho, the fact remains they were located on a malicious person?s computer system in Iran.

2. While you cannot speak to our technology, I can. Our technology allows us to detect, track, and locate the originating source of the disclosure. We utilize this each and every day to protect our clients.

3. Organizations do not have to contract with us. However, if they want to know about their extended enterprise, meaning the vendors, contractors, partners, employees, etc that possess and expose their confidential information ? all of which is often outside of their ?four walls? - then they should. Perhaps you should call your doctor, accountant, or employer and ask them what they are doing to ensure that YOUR personal information is secured from being disclosed via the P2P. Once you are done talking to them, contact every other person or organization that you ever gave your SSN to and ask them what they are doing.

Also, just to correct you, you don?t have to *intentionally publish a file* to expose it via the P2P ? that would be the World Wide Web, which we?re not talking about. To make a file available to the P2P you simply place it in a shared directory on your computer, which in most cases is C:, My Documents, or My Desktop. Also, to your comment of the senate hearings, the chairman of LimeWire stated under oath that Tiversa knew more about P2P security then LimeWire did. Feel free to watch it, it should be online.

Samuel Hopkins
CTO ? Tiversa

[judgesmells]

Hi,

I was wondering if it is standard operating procedure for Tiversa to submit such findings to the DOD? If so, does the DOD actually respond? I worked in government years ago, and I cannot imagine anybody does anything about such issues.