P2P Net security depends on the strength of your 'reputation'

by P.J. Connolly

March 19, 2001 —

I AM SO TIRED of hearing about peer-to-peer networking as The Next Big Thing. I can understand the interest in the fate of Napster and similar services because what's at stake in the Napster case is nothing less than the future of intellectual property. But p-to-p networking brings as many problems as it does solutions, and businesses should treat it with extreme caution.

Frankly, I don't see how to get past some basic security issues without reinventing the network operating system. P-to-p offers a lot of potential in the consumer space, but until some basic security and trust issues get resolved, I have to treat it as "toy technology" for businesses.

Before I climb fully onto my soapbox, I want to say that Napster, Gnutella, and their ilk are vehicles for theft, not necessarily by design, but unless you own the rights to a composition, accessing it or making it available to one of these services is a slam-dunk violation of copyright.

Some of the so-called benefits of peering are going to be difficult to achieve in practice. For example, file sharing is old news, and I'm one of those prickly old-fashioned types who doesn't like to allow corporate files on this side of the firewall to be world-readable. Once you start building in access controls, you have a primitive network operating system. We have enough of those already.

Even the idea of glomming onto spare CPU cycles for number-crunching tasks is one that leaves me skeptical. "Vampiring" desktop resources requires that implementers have a good feel for how the user's applications -- which, after all, are the reason for buying the computer in the first place -- use them. Notwithstanding the obvious concerns about who decides what resources get tapped and when, vampiring creates a surefire back door into a computer that the user often can't control. I've heard the arguments about leveraging underused resources, but security concerns trump just about everything in my world.

I know that I'm shouting into the wind; the genie is out of the bottle and there's no way to put it back. Teenagers and college students are rightfully going to blame the recording industry for overcharging consumers, and they will keep finding ways to use the Internet for an ongoing, giant tune-swapping festival.

I'm not in love with peering technology, but I can't ignore it either. Although the security hurdles are formidable, I reckon we'll see a number of attempts to add necessary features to peer networking that will make corporate security managers sleep better. Intel is doing some interesting work in this area in conjunction with its membership in the Trusted Computing Platform Alliance. Intel has demonstrated proof-of-concept solutions to encryption and trust in a peering environment, and its "Trutella" hybrid of hardware and Gnutella software may represent the new computing paradigm. Peering definitely needs the credibility that a commodity-trusted system can deliver.

The acceptance of peer technologies in the corporate world hinges on reputation and trust. We already have the beginnings of this with the digital certificate, which can be used to prove a person's identity. The next step will be "digital reputations." Think of them as credit reports, only on a broader scale. This is a mildly uncomfortable thought for someone like me with a small public presence; the odds are that over time I'll tick off some folks enough that they'll want to smear my reputation.

I'm not looking forward to it, but I don't think we''ll have to wait long to see "reputation servers" being as important to the Internet as DNS servers are today. Of course, like DNS servers, a reputation server will present a target for those wishing to attack a business or individual. I'm going to suggest that you read Bruce Sterling's Distractions for a chilling portrait of what America would look like in a future when intellectual property long ago ceased to have value and when your life might depend on what a reputation server said about you.

You'll note that I haven't said anything about peering being a jim-dandy way to spread viruses; it is, but that's outside this column's scope. People like to take candy from strangers, it seems, and they deserve the consequences of doing so.

InfoWorld