http://www.yomiuri.co.jp/dy/editorial/20060315TDY04006.htm The Yomiuri Shimbun Mar. 15, 2006 Should all the blame fall on the Winny file-sharing software? Not quite. Anyone dealing with sensitive information has an extremely heavy obligation in this regard. A number of cases of large amounts of government secrets and personal information being accidentally disclosed on the Internet have come to light in recent weeks, and Winny has been singled out for criticism in all these incidents. Winny was created to enable computer users to exchange music and video files over the Internet. However, the development of the software has been followed by the emergence of computer viruses that can infect Winny, making it act in ways not intended. If infected, Winny can upload data from computers on which it is installed onto the Internet without the knowledge of users. In all the information disclosures reported, the victims had stored important data on personal computers that were running copies of Winny that had been infected with viruses. This has prompted many people to point a finger at the file-sharing software. The recent spate of Winny-related incidents includes the disclosure of information about investigations by the Okayama and Ehime prefectural police. The tendency to single Winny out for criticism can be seen in remarks made by senior officials at the National Police Agency, an organ charged with supervising prefectural police authorities. "Police personnel who use Winny on their personal computers have no awareness of their professional duties," NPA Commissioner General Iwao Uruma said. === Lax security true culprit But blaming Winny alone means blinkering oneself to the true culprit, and one needs to look further. It is disturbing to see that the organizations affected by the incidents were extremely lackadaisical in protecting information and secrets. Questions should be raised about why those responsible for the disclosures were able to copy sensitive information from their office computers onto their own computers, and take it home without permission from their superiors. The ease with which this was done means no measures had been taken to protect the confidentiality of information held by these offices. What if such massive amounts of information had been stored on paper, not computers, and disclosed? The spate of disclosures would be considered highly abnormal. We all have good reason to raise questions about how the organizations affected by the disclosures protect their secrets and data. Are personnel at their offices allowed to duplicate important documents and take them outside? Are they permitted to take such documents home? Are the central and local governments properly equipped to manage the many secrets and personal information entrusted to them? The government and other pertinent organizations must thoroughly reexamine their information-control systems. === Govt must accept responsibility The Defense Agency intends to buy all its personnel new computers to help them carry out their duties. The decision came after the agency had second thoughts about its standing practice of allowing employees to use their own computers for work. But this purchase must be complemented by efforts to ensure information stored on these computers is properly controlled. If agency officials are allowed to copy data from their office computers onto their personal computers and take them out, the agency will remain susceptible to the disclosure of secrets and data. Winny is not the only software that can be perverted to disclose data stored on computers, there are others. The Defense Agency must ban personnel from using the newly supplied computers for personal use. No government employee should be allowed to take data outside the workplace. Government information and data must be encoded if taken out from the office. Doing so would prevent the data from being understood if disclosed to an outsider. Thorough measures should be implemented to educate government employees about how to properly control data they handle. Furthermore, periodic inspection are needed to ensure these safeguards are being followed. Any organization that has a bitter experience of having secrets and data disclosed has already taken such measures. Government organizations must learn what it means to protect the confidentiality of their information and data. (From The Yomiuri Shimbun, March 15) _________________________________ InfoSec News v2.0 - Coming Soon! http://www.infosecnews.org
This archive was generated by hypermail 2.1.3 : Thu Mar 16 2006 - 02:09:03 PST