SecurityManagement.com/ News -  The Business Software Alliance (BSA) is sending a growing flurry of takedown notices to peer-to-peer (P2P) networks and online auction sites in an effort to fight piracy, according to a new BSA report. 

BSA, consisting of a host of software developers, says 41 percent of the software used on personal computers worldwide is illegitimate, resulting in about $53 billion in industry losses.

The alliance sent almost 2.4 million takedown notices related to P2P file-sharing in the first half of 2009, a 200 percent increase from the same period in 2008, according to the report. It also sent 19,000 notices to online auction sites in the same period, a 4 percent year-over-year increase. Assisted by a proprietary P2P tracking tool, BSA says it identified almost $1 billion in illegal software for sale on P2P networks in the first half of this year.

 When legitimately used, P2P networks can be valuable in boosting business productivity and in other areas, said a BSA executive. But “[o]ne of the great disappointments of this technology…is that it is now too often seen as the domain only for pirates and malcontents who place no value on the work of software developers and designers.”

 BSA’s aggressive stance comes at a time when a relatively new form of security tool, called software protection technology, is improving and looks poised for significant sales growth, according to a recent Forrester Research report (subscription only). Software protection tools consist of a cluster of technologies-including software obfuscation and tamper proofing, which make programs harder to reverse engineer, and business intelligence, which includes technology that helps monitor and enforce licensing agreements.

Such technology has been available for some time, says Chenxi Wang, the Forrester analyst who authored the report. But new advancements as well as strong demand should fuel market growth, she says. Software protection technology can benefit both developers and businesses that rely significantly on proprietary software, Wang says.

For: ComputerWorld

New legislation is pressuring U.S. colleges and universities to do a better job combating illegal file-sharing - and it’s taking a toll on campus IT departments

 New legislation is putting pressure on U.S. colleges and universities to do a better job combating illegal file-sharing — and it’s taking a toll on campus IT departments, according to research published this week.

A law passed by Congress and signed into law by President Bush in August requires the nation’s 4,400 public and private colleges and universities to address the issue of illegal peer-to-peer (P2P) file-sharing of digital content on campus.

 Buried in the Higher Education Opportunity Act of 2008 are requirements that campuses inform students that illegal distribution of copyrighted materials, such as music and movies, is subject to criminal and civil penalties. The law requires college and university management to certify to the U.S. Secretary of Education that they have developed plans to “effectively combat” illegal P2P. 

The new law also strongly encourages the use of technical measures to monitor and block illegal P2P, which some observers in academia expect the U.S. Department of Education will make a mandatory requirement during the next year. 

Beyond trying to stop illegal P2P activity by students on campus networks, the new law suggests colleges and universities ought to be licensing digital music services, such as those from Napster, for students. 

“The legislation is explicit that campuses are expected to offer an alternative to P2P piracy by licensing a music service such as Napster,” says Kenneth Green, founding director of the Encino, Calif.-based Campus Computing Project (CCP), which since 1990 has studied the role of information technology in American higher education. If this becomes a requirement next year, campuses can expect to pay “six figures” for the kind of licensing envisioned under the legislation, a provision supported by such trade groups as the Motion Picture Association of America (MPAA) and the Recording Industry Association of America (RIAA). 

While Green doesn’t deny that illegal P2P file-sharing occurs on college campuses across the country, he adds that MPAA and RIAA (which successfully lobbied Congress to get the P2P file-sharing provisions into the 2008 bill) are overstating the problem.

This week the CCP published a survey of 321 colleges and universities to see how they’re handling P2P piracy issues. The survey, titled “The Campus Costs of P2P Compliance,” also draws on data from CCP’s annual, broader 2007 survey of IT on campus. 

Survey respondents report the burden for P2P compliance is falling directly on campus IT personnel and is a huge drain on their time. “As high as two IT personnel are involved, which could mean a salary overhead of [US] $150,000 to 200,000,” Green says.

The survey found that about 85 per cent of academic institutions already inform their students about P2P piracy. Methods vary widely — from simple posters on the wall to more in-depth online tutorials required at some places, such as Cornell University, to teach students rights and responsibilities before they use the college network, Green says.

1. Added additional blocks (restrictions) for Circumventing type proxies: Circumventing proxies are those proxies developed intentionally to by-pass all current security devices and technologies. They are local proxies installed on user machines and disguise P2P traffic through encryption and the use of port 80 or 443

2.    Clouseau now blocks the following proxies: TOR, Ultra VPN, Your-Freedom, Freeproxy, Privoxy, Twilight, SocksCap, Multiproxy, FreeCap, Widecap, proxifier, Ghost, HideMyIP2009, TrafficCompressor and  Hopster.

3.    Added Static IP Addresses used for system updates: SafeMedia has added this new feature for Networks that don’t have access to a DHCP Server. Clouseau is configured as Bridge and does not require any IP Addresses during normal operation; however when Clouseau checks for remote updates an IP Address is required. Clouseau will now check if Static IP Addresses have been configured by the System Administrator, if configured Clouseau will randomly use the Static IP Addresses configured to check for remote updates. One Static IP Address is ok, but the random feature will not function. SafeMedia recommends at least two (2) Static IP Addresses be configured for tighter security.

4.    Added redirect URL (redirects Web Browsers that have been blocked by Clouseau): By default a user’s web browser is redirected to a SafeMedia information web page when a user tries to gain access to a web site that has been blocked by Clouseau. Note: The System Administrator can override this default URL by entering a valid URL of their choice. Only one URL can be active at any given time.

5.    Added IP Address to Port bindings: Clouseau now binds the DHCP IP Address or Static IP Address to Port1 prior to remote updates, thus preventing Clouseau from using other internal ports.

6.    Added System Time & Date settings: Clouseau now supports local Time & Date setting, by setting Clouseau’s time & date all your logs will have the correct time & date stamp.

7.    Added Time & Date Stamping to log files: Clouseau will now time & date stamp all log files for better tracking.

8.    Added new log rotation methods: Clouseau will now rotate log files prior to remote updates, if all.log or log.txt is greater than twenty (20) megabytes, then that file will be rotated.

9.    Added logical grouping of Control Panel (Graphics Interface): Changed the logical grouping of Clouseau’s Control Panel for better System Administrator navigation

10. Added speed increase for new updates: System Administrators can now enter the IP Address of a Domain Name Server which their network has permission to use. This will increase the speed of Clouseau’s remote updates by resolving SafeMedia’s update Servers Domain Names in milliseconds rather than seconds.

11. User Manual access via Clouseau Control Panel Username & Password required: (http://www.safemediacorp.com/usermanual/manual.pdf) Username: netadmin Password: security2210

Data breaches have hit an all time high and with that have been a dramatic increase in new data security and privacy laws and regulations. Both state and federal regulations have been in place for several years with regards to security and privacy of Personal Identifiable Information (PII) and Protected Health Information (PHI). However, new regulations have popped up at a rapid pace. Just a few years ago there were only a handful of states that had data breach notification laws. Today, 44 states, the District of Columbia, Puerto Rico and the Virgin Islands have enacted data breach privacy laws and federal legislation is well on its way.

Today, more than ever, it is difficult for business owners and chief information officers (CIO) to navigate the ever expanding minefield of data breach privacy laws. Just as we have begun to get comfortable understanding laws like HIPAA, Gramm-Leach-Bliley and the Fair Credit Reporting Act, businesses now have to decipher the Red Flags Rule, Hi Tech Act and a myriad of state notification laws. Following is a list of current regulations that business owners and CIOs should be familiar with, including some key compliance dates.

State Notification Laws

The majority of states (44 as of this writing plus the District of Columbia, Puerto Rico and the Virgin Islands) have enacted data breach notification laws. These laws require businesses to timely notify any customer or patient that may be affected by a data breach. Every state has their own unique requirements as to the format of notification, time frame with which to notify, and content of the notification letter. In many cases, failure to notify pursuant to a particular state’s notification law may lead to fines and penalties imposed upon the business owner.

Red Flags Rule

In November 2007, Federal Banking Agencies and the Federal Trade Commission (FTC) created an addition to the Fair Credit Reporting Act called the “Red Flags Rule”. The Red Flags Rule applies to “financial institutions” and “creditors” with “covered accounts,” as defined by the regulation. The intent was to have affected businesses implement an identity theft prevention program. However, there has been a tremendous amount of controversy over the terms “creditors” and “covered accounts.” The law is not perfectly clear as to what these terms mean and has a number of business groups concerned about their requirement to comply with the regulation. For example, it has been debated if a health care provider, such as a physician or dentist, is considered a “creditor” under the rule. A “creditor” is defined as any entity that regularly extends, renews or continues credit or any entity that regularly arranges for the extension, renewal or continuation of credit. Under this description, many businesses may be required to comply with the Red Flags Rule. Recently, the FTC has extended the date for compliance to Aug. 1, 2009.

Massachusetts 201 CMR 17.00 (Standards for the Protection of Personal Information of Residents of the Commonwealth)

In September 2008 the Massachusetts Office of Consumer Affairs & Business Regulation issued a regulation intended to protect the unauthorized disclosure of personal information of Massachusetts residents. The regulation establishes very strict requirements for any “persons who own, license, store or maintain personal information about a resident of the Commonwealth of Massachusetts” with regards to ensuring the security and confidentiality of personal information.

What makes this specific state law so important is that it applies to any person or business, whether or not they are domiciled in the state of Massachusetts, that have personal information on even one resident of Massachusetts. This regulation mandates sweeping changes in the development of data security protection. In addition to the expanded data protection requirements, the new law also includes penalties for non-compliance (violators may be subject to a $5,000 civil penalty for each violation of each affected person). Compliance with the new regulation has been postponed until Jan. 1, 2010.

Hi-Tech Act

Part of the 2009 American Recovery and Reinvestment Act, otherwise known as the Stimulus package, the HITECH Act provides incentives for physicians who implement “meaningful use” of an Electronic Health Record system. While the exact criteria are still being defined, such systems must be able to electronically e-Prescribe, exchange information, and submit clinical quality measures. In short, the federal government is making it mandatory for health care providers to disclose and disperse reams of personal data electronically. What this act also does is create a federal notification requirement for the breach of Protected Health Information. So in addition to the 44 state notification requirements, health care professionals will have to comply with a federal mandate to notify patients if their records have been compromised. Since this regulation is still new, it is not known how this will impact health care providers in their expanded requirements to notify patients of potential breaches.

What’s Around the Corner?

H.R. 2221, the Data Accountability and Trust Act, recently passed the House subcommittee on Commerce, Trade, and Consumer Protection by a voice vote during a markup session. The bill, which was introduced by House Subcommittee Chair Rep. Bobby Rush, D-Ill., would require businesses to notify affected customers when outside parties gain access to sensitive information due to a security breach. If this act is passed it will create yet another data breach notification law for businesses to comply with and, additional costs imposed upon them in the event of a data breach.

Insurance and Risk Management Solutions

With this rapid expansion of data breach laws, the insurance industry has responded by introducing innovative new insurance products to protect businesses from data security breaches and failure to protect personal information of customers and patients. Cyber liability or security and privacy insurance has been developed by a number of insurance carriers to provide coverage for exposures, such as:

• First Party Coverages - network attack business income and extra expense; cyber extortion; crisis management expenses; and notification costs and credit monitoring expenses.
• Third Party Coverages - network security liability; privacy liability; regulatory defense coverage (including fines and penalties); and Internet and media liability.

The policy forms that exist in the marketplace today are not all alike and there are no standard policy forms. Each policy requires extensive review and analysis in order to determine the coverage needs of each prospective insured.

In addition to the insurance policies provided by insurance carriers, there are also risk management services that are provided via third party vendors. There are a number of third party vendors that offer services, including: network security policy and procedure development; network security exposure analysis; crisis management services; forensic investigation services; credit monitoring services, among other services.

With the number of known data breaches and data breach costs on the rise, the increase in legislation and the availability of insurance and risk management solutions, it is imperative that business owners review and analyze the costs associated with compliance of these new laws and the cost to transfer the risk.

Perkins, RPLU, is senior vice president for S. H. Smith & Co. Inc. He leads the Professional and Management Liability Department in this national specialty insurance broker’s Massachusetts office and specializes in technology/cyber liability risks.

http://www.insurancejournal.com/news/national/2009/09/21/103926.htm

Some of these breaches are more security-related than privacy-related, but they’re all reminders of the risks. What a shame that most of these never seem to get reported to states so that they can be included in our chronologies and databases. RedTeam doesn’t reveal the names of the entities, however, and treats all of their findings as confidential

An employee of a Virginia based family counseling corporation, leaked out 1,698 files onto the gnutella file sharing network. These documents included Individualized Service Plans, which included psychological evaluations, Medicaid numbers, social security numbers, and dates of birth.

The administrator of a California based treatment home, leaked 1,632 business documents onto the gnutella P2P network, including Individualized Service Plans, including dates of birth, complete medical histories, and
health insurance numbers.

The owner of a California based music studio, published 2,436 business related files onto the gnutella file sharing network. The files included personal contact information and signatures of well known musicians.

An executive at a United Arab Emirates based insurance provider, made publicly assessable 2,435 business related documents, including insurance numbers, scanned certificates, and workers compensation claims.

A Turkish accountant published 6,882 files onto the gnutella file sharing network, which included client balance sheets, account numbers, nondisclosure agreements, confidential merger information, and five years of faxes stored on the accountant’s hard drive.

A family counselor at a Washington, DC based treatment center, made 4,886 files accessible over the gnutella file sharing network. These files included the personal identifiers of juveniles seeking treatment for various behavioral issues, in addition to psychological profiles and emergency contact information.

A facilities manager at a national engineering consultancy published 13,038 files onto the gnutella file sharing network. These files contained confidential security and safety information for an manufacturing plant,
numerous vendor non disclosure agreements and internal correspondence.

A security manager at a Louisiana based chemical plant leaked 107 confidential files onto the gnutella P2P network. These files included bomb threat procedures, internal contact numbers, login names and passwords for the plant security system, contingency management documents and radio frequency assignments.

An employee of a presidential protection unit in Africa, published 2,298 files onto the gnutella file sharing network, including intelligence reports regarding child soldiers and pending investigations.

An executive at an Indonesian airline corporation published 9,263 files onto the gnutella P2P network, including security documents, human resource information and thousands of files relating to internal communications and vendor relations.

The superintendent/former superintendent of a Texas based school district, published 11,884 internal files onto the gnutella files sharing network. These files included confidential correspondence with parents, confidential grade sheets with dates of birth and student ID numbers, and confidential statistics listing grades sorted by demographics such as age and race.

 Poorly crafted law could would also block some cost-saving file-sharing tech, some say

A proposal to introduce a bill seeking to formally ban the use of peer-to-peer (P2P) file sharing applications on government and contractor networks is evoking a mixed response.

Rep. Edolphus Towns (D-NY) yesterday announced his intention to introduce such a bill, after he, and other members of the House Oversight and Government Reform Committee heard testimony about numerous highly sensitive government documents being found on P2P networks as a result of inadvertent leaks.

Examples of such leaks that were highlighted at the hearing included details on the President’s motorcade routes and the First Family’s safe house location — to be used in a national emergency — being found on P2P networks.

Towns, who is the chairman of the House oversight committee, said that the leaks pointed to a continuing failure by developers of P2P software to implement features for preventing inadvertent data disclosure on file-sharing networks.

He said that a ban on P2P use on government and contractor computers and networks had become necessary because the developers had so far shown themselves to be “unwilling or unable” to ensure P2P user safety. “Its time to put a referee on the field,” he said at the hearing.

The idea is an “excellent” one, said Thomas Sydnor, a director at the Progress & Freedom Foundation, a Washington based think-tank. “The real questions are over how it gets implemented and by whom,” Sydnor said.

Over the past few years there has been some debate in Washington over the need to regulate use of P2P software on government networks, because of data leak fears, he said.

A 2004 directive from the White House Office of Management and Budget recommends measures federal agencies for governing the use of P2P software on federal agency and contractor networks, he said.

The question now is whether the time has come to transition the directive into a formal law with Congressional oversight or let it remain an executive directive, he said.

The difference right now is that if a federal agency is not complying with the OMB directive it remains an executive branch concern. “The debate is whether it should be done by law or by directive,” he said.

Either way, the time has come for greater oversight over the use of file-sharing tools on government and contractor networks, especially because more government workers are logging into to work from home, these days Sydnor said. Care needs to be taken to ensure that any law that is crafted not “sweep in” useful file-sharing technologies as well, he added.

But Fred von Lohmann, a senior staff attorney with the Electronic Frontier Foundation said a government wide ban on P2P use would have dubious benefit. “I’m sure there are at least as many leaks that occur thanks to unwise uses of e-mail and Web browsers,” compared with P2P use, he said.

A ban specifically on P2P use would not go far enough in tackling leaks stemming from e-mail, browsers and other sources, von Lohmann said. At the same time, it could also have the effect of banning the use of potentially useful P2P tools within government enterprises, he said.

He pointed to the increasing use of BitTorrent and other P2P architectures by video game companies and licensed music services such as Spotify as examples where the technology can play a very useful role. “So it could be very difficult to ban only the “bad” software without also banning the “good” software,” von Lohmann said.

“It would be an unfortunate outcome if, 10 years from now, the US government were unable to take advantage of new, cost-saving software products because of an antiquated P2P software ban enacted today.”

This is the second time in the last two years — and the third time overall — that House oversight committee has held a hearing on the data leak risks associated with the use of P2P file-sharing software. If Towns does introduce a bill seeking to ban P2P, it would become the second piece of legislation introduced recently to deal with concerns stemming from inadvertent data leaks on file-sharing networks.

In March, Rep. Mary Bono Mack (R-CA) introduced The Informed P2P User Act (H.R. 1319), which is designed to get file-sharing software developers to provide clear disclosure to users on whether and how their files will be made available for sharing with others on a P2P network.

 The indiscriminate use of a popular online data-sharing technology has led to the disclosure of sensitive government and personal information — including FBI surveillance photos of a Mafia hit man, lists of people with HIV, and motorcade routes and safe-house locations for then-first lady Laura Bush, a congressional panel was told on Wednesday.

 The information is often exposed inadvertently by people who download the technology to share music or other files, not realizing that the “peer-to-peer” software also makes the contents of their computers available to other users, experts said.

 The issue is so pressing that the chairman of the House Oversight and Government Reform Committee, Rep. Edolphus Towns (D-N.Y.), said he would introduce a bill to ban such software from all government and contractor computers and networks.

 ”The administration should initiate a national campaign to educate consumers about the dangers involved with file-sharing software,” he said.

 Robert Boback, chief executive of Tiversa, a company that scours music- and file-sharing networks on the Internet for sensitive data, said the use of such software is being exploited by foreign governments for espionage and other purposes. “Other countries know how to access this information and they are accessing this information,” he said.

 Boback told the committee that Tiversa found FBI surveillance photos of an alleged hit man on the Internet while he was still on trial. The company also found the government’s confidential witness list for that trial, which included the names of some people in the government’s witness protection program. He said the company found the documents while scouring the networks for other data for a client.

 ”This is not information you want to have out there,” he said.

 A spokesman for the FBI said late Wednesday that he did not have enough information to comment on the surveillance photos. The Secret Service said that the motorcade routes and safe-house locations are not classified or top secret. Such data is “not of any value” after an event, said Secret Service spokesman Malcolm Wiley. “And if something like that were to emerge before an event, keep in mind, we’ve got other security countermeasures in place.”

 In addition to the list of people with HIV, which included Social Security numbers, Tiversa discovered records with full psychological assessments of patients with conditions such as bipolar disorder.

 Alan Paller, director of research at SANS Institute, a computer-security training group, said that health data are a new target of organized-crime groups. Experts say a copy of a medical record can fetch money on the Internet black market.

 ”This is unbelievably sensitive medical data,” said Deborah Peel, founder of Patient Privacy Rights, a health-privacy advocacy group. “It has people’s names on it from mental-health treatment programs, drug studies. All of these medical files have everything needed for identity theft, the most prominent and frightening consumer issue with electronic systems.”

 Towns said he would ask the Federal Trade Commission to investigate whether inadequate safeguards on file-sharing software constitute an unfair trade practice.

 Mark Gorton, chairman of the Lime Group, which makes LimeWire, one of the most popular peer-to-peer, or P2P, programs, told the committee that the latest version of his company’s software makes it extremely difficult to accidentally share sensitive documents.

 He  said that any effort to regulate the industry would be difficult, as LimeWire is one of hundreds of such software providers. “Most creators of P2P applications are not based in the United States, and may not even be corporations,” Gorton said.

 The Department of Homeland Security warns that file-sharing technology exposes users’ computers to infection, attack or exposure of personal information. It recommends avoiding the software.

Lawmakers eye bill to ban P2P use on government, contractor networks

July 29, 2009 (Computerworld) - Details about a U.S. Secret Service safe house for the First Family — to be used in a national emergency — were found to have leaked out on a LimeWire file-sharing network recently, members of the House Oversight and Government Reform Committee were told this morning.

 Also unearthed on LimeWire networks in recent days were presidential motorcade routes and a sensitive but unclassified document listing details on every nuclear facility in the country, Robert Boback, CEO of Tiversa Inc. told committee members.

 The disclosures prompted the chairman of the committee, Rep. Edolphus Towns, (D-N.Y.), to call for a ban on the use of peer-to-peer (P2P) software on all government and contractor computers and networks. “For our sensitive government information, the risk is simply too great to ignore,” said Towns who plans to introduce a bill to enforce just such a P2P ban.

 Tiversa is a Cranberry Township, Pa.-based provider of P2P monitoring services. In the past, it has served up dramatic examples of highly sensitive information found on file-sharing networks. In January for instance, the company disclosed how it had discovered sensitive details about the President’s helicopter, Marine One, on an Iranian computer after a document leaked out over a P2P network.

 Today’s hearing continued in that vein, with Tiversa providing new sensational examples of leaked information. Boback showed off a document, apparently from a senior executive of a Fortune 500 company, listing every acquisition the company planned to make — along with how much it was willing to pay. Also included in the document were still-private details about the company’s financial performance.

Boback also showed numerous documents listing Social Security numbers and other personal details on 24,000 patients at a health care system, as well as FBI files, including surveillance photos of an alleged Mafia hit man that were leaked while he was on trial. He demonstrated to members of the committee how pedophile predators troll file-sharing networks looking for images and data.

 Speaking with Computerworld before the hearing, Boback said that all of the information was readily available on LimeWire’s file-sharing network after apparently being leaked. The data on the nuclear sites was found on computers associated with four IP addresses in France, though it is not immediately clear where the data came from. The files containing information about the president and his family had Barack Obama’s seal on it and a July date.

 Though the information was not classified, it was sensitive enough that under normal circumstances it would not have been available even via a Freedom of Information Act request, he said.

 This is the third time that the House Oversight committee has held a hearing on the topic of data leaks on P2P networks. The last hearing was two years ago and featured similar revelations from Tiversa and others.

 The problem is well understood, but it remains difficult to stop. The leaks typically occur when a user installs a P2P client such as Kazaa, LimeWire, BearShare, Morpheus or FastTrack on a computer for the purposes of sharing music and other files with others on the network. In many cases, users inadvertently expose not just the files they want to share, but also every other file on their computers.

 Boback and others have warned that leaks have resulted in file-sharing networks becoming vast treasure troves of information for identity thieves, corporate spies and even foreign intelligence agencies. That has prompted calls for lawmakers to force software vendors to implement stricter security controls in their applications.

The only vendor at today’s hearing was Mark Gorton, chairman of Lime Group LLC, the umbrella organization that runs Lime Wire LLC, developer of LimeWire, which is the most-used P2P client available. Gorton testified two years ago and promised at that time to implement changes in the company’s products to make it harder for users to inadvertently share files.

 Today he insisted that the company had implemented many of those changes and that the latest version of LimeWire makes it much harder for data to be inadvertently leaked. Those claims were largely rejected by members of the committee, who blasted Gorton for failing to live up to his promises.

 Pointing to the examples offered by Boback, Towns said that the file-sharing industry’s promises to regulate itself had clearly failed. “Specific examples of recent LimeWire leaks range from appalling to shocking,” Towns said. “As far as I am concerned, the days of self-regulation should be over for the file-sharing industry.”

 Other members want the issue investigated by the Federal Trade Commission, the Securities and Exchange Commission and law enforcement authorities. They said that the continued failure by companies such as LimeWire to take more proactive steps to stop inadvertent file-sharing is tantamount to enabling illegal activity resulting from the data leaks.

 Towns plans to meet with the chairman of the FTC to determine whether the failure to stop inadvertent file-sharing constitutes an unfair trade practice by P2P companies.

Stephane Herry says that he founded his private file-sharing network GigaTribe out of frustration at not being able to share files with his friends on Kazaa. Every time he searched for a file that he knew a friend had uploaded, he saw only similar files uploaded by strangers.

Why not, Herry thought, create a peer-to-peer (P2P) application that permitted only trusted sources to share files? Such a network would be far more secure, because you’d be sharing files exclusively with people you know and trust–not with complete strangers, some of whom may wittingly or unwittingly be spreading viruses.

Herry’s idea is proving to be popular. Some of the biggest names in public peer-to-peer file sharing now offer private alternatives. In its latest release, venerable file-sharing client LimeWire now allows users to share files privately with contacts that it pulls from Google or LiveJournal contact lists. Azureus Vuze, a popular BitTorrent client, added a FriendBoost feature to speed torrent downloads by sharing them within a group of trusted users.

In the past few years, private file sharing has evolved, steadily improving in speed, security, and functionality. Depending on what you’re looking for, you can probably find a software product or Web app that’s perfectly suited to help you and your friends (or coworkers) share anything from spreadsheets to home movies legally, safely, and privately.

We took a look at four applications that promise secure, efficient file sharing among private groups: QNext, GigaTribe, 2Peer, and LogMeIn’s Hamachi.

QNext

File sharing is just one of the features offered by QNext. It’s primarily designed to serve as an integrated communications suite, with IM, voice, and video-chat components. But it also allows you to share files securely–with no size restrictions–and it has special photo and music capabilities as well. Finally, QNext even lets you gain remote access to your computer through a standard Web browser.

Installation and set up are painless. You simply download the software, install it, and create an account–and you can begin adding IM accounts and creating folders of files that you want to share. Network configuration and input device detection–for hardware such as microphones and cameras–is automatic. To add friends, you enter your log-in data for popular instant messaging systems like AIM and Google Talk, and then ask your friends to download, install, and register for QNext.

Once you have one or more friends enrolled in your list of QNext contacts, you can set up shared folders through “zones.” Click File, Share Content to open the QNext explorer. Then click Share Folders and Files and drag and drop the data you want to share. You can set up secure sharing by adding only QNext contacts, or you can make the files publicly available to anyone with a Web browser by selecting ‘Broadcast to Web browsers’.

The interface of the application opens with a vertical list of contacts from the IM accounts that you added during initial setup. You gain access to more features, options, and settings by clicking the blue monitor icon for the Explorer. In the Explorer you set up groups of shared files and folders, as well as permissions for access–one folder could be public, another could be for one specific user. The Explorer is also where you manage other settings, including chat, video, and audio. From there, you can set up shared files and folders, and browse and search data that others have shared with you.

One particularly nice aspect of QNext is that other users needn’t have the application installed in order to receive messages, shared files, or photos, or even to listen to music streamed from your shared library. QNext’s servers make much of your content available publicly via browsers, if you wish, so you can simply send a URL over IM or e-mail. If you want the transfers to be private and secure, however, both parties must have QNext installed.

You’ll also need to have QNext turned on and running if you or your contacts need to access the data or use the machine via remote access. This is great if you have a machine at home or at the office that is online around the clock anyway. If you use a laptop, turning off your machine, letting it lapse into sleep or standby mode, or losing your Internet connection will cut off anyone who is connected to a download or stream from one of your music playlists.

Another potential bottleneck is bandwidth. Contacts can access files and streams only as fast as your machine can upload–and since most personal users on networks have limited upstream bandwidth, simultaneously downloading or streaming more than a few files music from your machine will quickly push it to the limit.

QNext is a free download available for Windows, Mac, and Linux operating systems. Versions for the iPhone, the iTouch, and Google Android-powered smartphones are currently in the beta stage.

GigaTribe

With a familiar and friendly interface, GigaTribe targets casual computer users who want to share media collections with friends. The download, installation, and account creation process is straightforward, with no router or firewall configuration necessary. You can invite friends to download, install, and register for GigaTribe through e-mail or via social networks such as Facebook, LinkedIn, and Flickr.

To share, simply start the program, click the Share button, and select a folder on your computer. GigaTribe affords you plenty of control over which of your friends can access your files. All files are encrypted, and the program lets you set access to specific groups, permit contacts to upload or download files, and even password-protect shared folders.

Once you’ve set up some files to share, you can chat with other users directly through the program. If a user logs off while you’re downloading a file, the program will check for another copy of the file among users still online, or it will pause the download and then resume it when the original user comes back online.

The free download includes GigaTribe’s EasyConnect feature, which uses GigaTribe’s servers as an intermediary to establish your connection, thus eliminating the need for a technical configuration on your side. That feature, however, is free for only the first 30 days; after that, file transfers may slow down unless you spend the time to configure your network manually. The full version, GigaTribe Ultimate, which includes EasyConnect, costs $5 a month or $30 a year; it offers improved download speeds (by sourcing downloads from multiple copies of the same file hosted by different users) and e-mail support.

GigaTribe is available only for Windows PCs, and the latest version is still in beta. Once the Windows version is finalized, the developers have promised to add a version for Mac users.

2Peer

What makes 2Peer unique is that its interface works entirely within your browser–though additional software runs in the background, so an installation is required. Once that’s completed and you’ve created a user account, however, starting up 2Peer will launch your default browser, from which you’ll be able to manage your shared files and folders or connect with other users.

Like QNext, 2Peer lets you share files with users who don’t necessarily have the program installed–in the case of 2Peer, you can rely instead on e-mailed links or on 2PeerWeb, a fully browser-based version that supports downloads (but not uploads or shared files and folders). Also like QNext and GigaTribe, you’ll have to have 2Peer up and running for others to access your data, and vice versa.

You can invite friends to participate, by entering a list of e-mail addresses or by allowing 2Peer to scan your contacts in Yahoo Mail, Gmail, Windows Live Mail, AOL Mail, or Lycos Mail. 2Peer will send an e-mail invitation to those addresses, with instructions on how to download, install, and register.

It’s easy to fine-tune the privacy controls for shared folders or individual files, with access levels ranging from public availability (anyone and everyone) to a specific 2Peer user. All data transferred between usersor to 2Peers servers is sent in encrypted form.

The service is completely free, and it works on Windows PCs, Macs, and iPhones (meaning that if you have an iPhone, you can download files from friends on the fly).

LogMeIn Hamachi

LogMeIn Hamachi is not specifically designed for file sharing; however, it provides a quick, inexpensive, and relatively easy way to set up a virtual private network (VPN). This means that the connection between computers over the public Internet mimics that of a private network, such as a local area network.

All users that you want to connect will have to have Hamachi downloaded and installed on their machines. Officially the program works with Mac and Linux systerms as well as with Windows PCs, but only the PC version has a familiar graphical user interface; Mac and Linux users must install and configure the software through a command line interface. All versions will tunnel through your operating system or router firewall automatically, so little or no configuration is required.

As befits its bare-bones nature, Hamachi doesn’t invite your friends to download and install the software or to register an account, so you’ll have to do that yourself (in person, via e-mail, or by other means). Once two machines are connected, you can trade data by linking network drives through the operating system, as you would between machines on a local network. You can also stream video or audio, use remote access software to control another system on the network, or play multiuser games as if you were at a LAN party (Hamachi is popular among gamers).

In mimicking a LAN, Hamachi lets you use familiar Windows network drive sharing and file and folder permissions.

Speed over the network is limited by the bandwidth available between parties. If your friend is on a modem, you’ll only be able to connect at modem speeds. A central server operated by LogMeIn manages authentication; this can make creating and connecting to the VPN during peak usage periods slow or otherwise problematic.

The service is free for personal use and costs $5 per month per license for business use.

Which One Is Right for You?

Private networks have a number of benefits. Security is easier to manage, and you also get the peace of mind of sharing a song or a video with a friend rather than with the whole World Wide Web. While many of these applications could be used to do business by connecting far-flung teams so that they can collaborate, the apps represent a move toward creating private, secure sharing for personal pursuits.

For instance, QNext appears to be a good match for IM junkies looking for a communications platform that offers a more reliable and secure way to share files than existing IM tools can manage, without the size limits and with faster transfers.

GigaTribe and 2Peer are ideal for heavier file sharers who may already have networks of friends with whom they trade media libraries. GigaTribe has the slicker interface, but 2Peer sets itself itself apart by offering iPhone access. Hamachi is a general-purpose VPN that supports all sorts of private, secure connectivity, including (but not limited to) file sharing; it is suited to more advanced users.

Know What You’re Getting Into

People continue to create and collect more and more digital media. Meanwhile, everything from lawsuits against individual file sharers to embarrassing incidents when the public stumbles across a private moment shared online are increasing users’ awareness that publishing data to everyone, everywhere is not always a great idea. These tools make it much easier to share the content you love with people you know.

Security note: Though none of these products came with any malware that I could detect, many of them do circumvent firewall protections in order to speed up connections or ease installation, and this poses a risk to your system or network. In fact, you incur a certain amount of risk (of viruses, malware, and the like) every time you share access to your computer online. Take care to protect important data by backing it up and encrypting it locally; only connect to users whom you know and trust; and never download and install applications through peer-to-peer networks.

 Sydnor Outlines Approaches to Remediate Inadvertent Sharing

WASHINGTON D.C. - Inadvertent file-sharing can still be caused and perpetuated by dangerous “features” in certain file-sharing programs, explains Thomas Sydnor in “Inadvertent File-Sharing Re-Invented: The Dangerous Design of LimeWire 5,” released today by The Progress & Freedom Foundation. 

In the paper, Sydnor, Senior Fellow and Director of the Center for the Study of Digital Property, summarizes the causes and consequences of inadvertent sharing.  He shows that one distributor again appears to violate industry best practices by deploying dangerous features that seem intended to cause and perpetuate inadvertent sharing of both copyrighted and personal files.  Sydnor identifies multiple reasons why the latest versions of the “LimeWire 5″ program can cause and perpetuate inadvertent sharing:

The program contains an ambiguous “share all” feature which can share all files in a user’s “library.”  With one misplaced mouse-click, this prominent “feature” can “share” all document, audio, video, and image files stored in a family’s My Documents folder and all of its subfolders.

The program violates eight industry “best practices.” By default, the LimeWire 5 shares sensitive file types, user-originated files and recursively shares folders.  It also fails to give timely and conspicuous warnings, fails to uninstall completely, and will perpetuate inadvertent sharing caused by prior versions of the program.

The default settings of the program exploit inexperienced users.  Many new users of file-sharing programs tend to be pre-teens or teenage children who may be unaware that, by default, these programs “share” all downloaded files.  Since most of these files are infringing, this leaves minors open to liability.

Sydnor proposes that because the distributors of LimeWire 5 have again failed to do so, policymakers who want to stop inadvertent file-sharing should involve appropriate law enforcement agencies and extend the enforcement authority of the Federal Trade Commission by revising H.R. 1319, The Informed P2P User’s Act.

“Inadvertent File-Sharing Re-Invented: The Dangerous Design of LimeWire 5,” is available on the PFF website.

The Progress & Freedom Foundation is a market-oriented think tank that studies the digital revolution and its implications for public policy. It is a 501(c)(3) research & educational organization.