Eskimo North

KOMO AM 1000 did a real smear story on peer-to-peer networking. They reported the arrest of a 35 year old Seattle man who used peer-to-peer networks to steal credit card information from peoples personal computers. Ok, so far, but then they went on to say that every computer with peer-to-peer networking installed is vulnerable to identity theft and that's just hogwash.

For starters, if you've got a Windows machine, it's ALREADY vulnerable by any number of viruses. If you have any data that really needs to be secured, it really should not be on a Windows machine connected to the Internet. Really it shouldn't be on the Internet at all.

Now that said; there are probably several hundred million people using peer-to-peer networks. Most of them are not at significantly higher risk because of this. Most peer-to-peer networks allow you to specify a folder or folders to export; just like Windows file sharing. If you are stupid and export your entire drive, or any folder that contains sensitive information, then yes that information becomes available to nefarious types like this 35 year old Seattle man that was recently arrested. Same is true if you export your whole drive with Windows file sharing. So the lesson isn't "don't use peer-to-peer networking", the lesson is know your software and understand how to properly configure it.

Another issue, when you download things with peer-to-peer networks, if you don't know the source you're downloading from, and the software is in anyway executable, a program file, a script, it may contain a virus. Even non-executable files may take advantage of defects in software to install a virus. For example, a while back, I watched a video on MySpace that happened to be in Quicktime format and contained material that took advantage of a buffer overflow exploit in Quicktime to install a virus and my machine got infected. That's a danger anytime you bring in any file from anywhere. This was something in a persons profile, probably something they had constructed for just that purpose.

I've also got viruses from well known legitimate distribution sites. I installed Cygnus-X downloaded directly from their sites, and installed several dozen copies of a virus in the process. Fortunately, AVG found it and I deleted it. Yes, they give you md5 checksums that if I had actually checked might have revealed that the files were corrupted, I was lazy, I got burnt. Live and learn.

Some peer-to-peer networking programs are also questionable, people distribute programs with back doors, Trojan horses, viruses, intentionally. Again, how well do you know your source? I installed Kaaza once, big mistake, took me a week to get rid of all the adware and spyware that was packaged with it. But WinMX and Shareaza, if you don't configure them to export your entire drive or anything not desired, are fairly safe except for the fact that they're running on a Windows platform (maybe they'd run under one of the WIndows emulators that runs under Linux).

I know there are people that think I'm just a Linux bigot, but let me tell you, got an XP Pro box here; it's behind a firewall, all of the unnecessary services are disabled, I've got not one but two firewall packages running on it, in addition to that AVG antivirus and AVG antispyware, and I stay up on Windows updates, and still with all of that I've averaged about a virus a week over the last two months. One of them came via the Quicktime bug (which is plugged in the current version), one came via a bug in Java (buffer overflow exploit that allowed bypassing certificate restrictions), and I really don't know how I got the others, but I've installed, tested, and deleted, a lot of trial software packages, registry cleaners, video converters, etc.

Major point being is that anytime you bring any file to your machine you are at risk, but peer-to-peer networks aren't inherently any more risky than windows file sharing, ftp, http web browsers, or any other method of transferring files onto your machine or from your machine. All of them can be mis-configured or mis-used. It's like driving a car, you're at risk of being in an accident; you have to weigh that risk against the functionality it provides.