undefined | Better HN

0 pointsdiminoten13y ago0 comments

I just don't see Spotify as a business risk unless the bandwidth itself is a cost. It almost sounds like someone just wants to make a decision and is post-hoc justifying that decision with this "security concern!" fearmongering.

0 comments

3 comments · 1 top-level

freehunter13y ago· 2 in thread

I posted this elsewhere, but...

P2P applications have security risks associated with them, but they also have network constraints associated with them. It doesn't take many P2P users to choke legitimate users out of a network. When some of the network monitoring tools we use are licensed based on how much data is flowing through the network, P2P gets expensive real quick. Move that stuff to a network we're not monitoring as extensively.

diminotenOP13y ago

I don't think P2P applications have a significant security risk.

Specifically, I don't think the security industry at large considers P2P to be inherently risky. If you trust Spotify like you trust say, Google Chrome, or Microsoft Outlook, or any of the other apps you run on your machine, the fact that one or more of them uses P2P in no way further raises your risk profile.

freehunter13y ago

The only security risk it needs to be is to blind us from other security risks. That can be accomplished by its behavior in the network monitoring tool (many malware applications behave very similarly in a p2p fashion) or by putting us at risk of running over the amount of traffic we're licensed for in any of our tools. We're not in the business of buying licenses to support a program we explicitly disallow, so instead we're in the business of explicitly disallowing software that would put us over that license. P2P raises our risk level just by being noisy. iTunes does the same thing, and it's not P2P. It's just really, really chatty and it is also disallowed by policy. Chrome and Outlook don't put us in danger of being over our license or out of bandwidth.

Users don't understand. I get it. Information security is a young industry, and some decisions that are made might not be immediately clear. It's a negative job; if you're doing everything exactly right, users will be complaining that you're getting in their way and the bosses will be wondering why you even have a budget. If you're not doing everything exactly right, users will be complaining that they have odd charges on their credit cards and the bosses are wondering why they can't log into their email anymore.

You might not like my driving, but covering my eyes with your hands doesn't solve that problem. P2P blinds my network monitors just like your hands blind my eyes.

1 more reply

j / k navigate · click thread line to collapse