Friday, November 25, 2005

WFAA News Story: Flaws Exposed

This is a perfectly good example of a little knowledge being a dangerous thing. It is also an example how to scare the viewers by not understanding what a file sharing program does or how it works.

The video clip clearly shows the program in use was LimeWire PRO (see clip at 0:20, 1:16 and 1:37 1:57, 2:16, 2:30) yet when I asked, Ed Chiarini stated in an email to me, "Each time I use LimeWire, I download a current free version". However the free version can't display on screen as LimeWire PRO. And the story says they "did the same experiment using the most current LimeWire software." Why is this an issue? Usually when you "expose a major security flaw" you state which version has the flaw, and report it to the software company, so they have a chance to fix the flaw before it is made public. But in this case, there is no flaw, and when I asked Ed Chiarini which version number he was using and whether the flaw has been reported, he ducked the question and answered as above.

If you pause the video clip at the 1:02 minute mark (see below), you can see that the file sharing setting has been changed to include sharing "Documents", which is not the default setting, even though the reporter says "... most users would simply use the default settings".

For the reporter to claim that this is a "major security flaw with LimeWire" that "makes it easy to search the hard drive of anyone who is also using the program" is completely misleading. First of all, the default installation of LimeWire creates an empty folder called "Shared". On my IBM ThinkPad, this is stored as
"C:\Documents and Settings\user\Shared"
whereas the "My Documents" folder is stored alongside this as
"C:\Documents and Settings\user\My Documents"
so the only way you could share documents stored in the "My Documents" folder would be to add it in, using the "options" -> "sharing" dialog box. This indicates careful design on the part of the programmers to ensure that the risk of inadvertent file sharing is eliminated.

So if Chrystal Snow gave them permission to share her "documents" folder, she shouldn't be in the least bit surprised if the files in this folder show up on other machines. That is precisely what LimeWire is designed to do. It isn't a "security flaw", it's the reason you download a file sharing program in the first place! How did she think that she could download music from other computers? By magic? No, from their hard drive!

Ed explained to me that News 8 used the "Browse Host" function in LimeWire. If you search for files, you can select one of the files found and then choose the "Browse Host" function, which will display all the shared files on the user's machine, not just the one selected. Since the user has elected to share all his/her files, this is neither sinister nor is it a secret search. To say it is possible to say someone "can do a secret search of someone else's computer information without the victim knowing it" is like saying you can look into the windscreen of a car without the driver knowing about it.

So we have a news reporter (Dan Ronan) claiming to have exposed a "major security flaw" when in fact he is describing the stated and advertised behaviour of the software. We have a gullible user (Chrystal Snow) who gives permission for the News 8 team to change her settings to share all her "Documents" to the rest of the world on her file sharing program (LimeWire PRO) and then she says "I'm shocked my information is out there for anyone to find". Of course it is, you just gave permission! DUH!

The "security consultant" (Ed Chiarini) makes money of gullible users by charging $79.99 to uninstall LimeWire and delete the remaining registry keys and "Shared" and "Incomplete" folders on their system. But that isn't mentioned in the story, even though his web site is displayed several times in the TV clip, and the URL appears on screen and in the article.

To add insult to injury, the news story tries to imply that adding a user's "Documents" folder (see clip at 1:02 minutes) is the default setting when you install LimeWire, which clearly it is not.

It gets worse. The story implies a sinister motive on the part of LimeWire: "... The problem occurred from something written into the program, which was more than likely not an accident." That's a bit like saying that cars all have front wheels that could turn suddenly and make you go off the road, and that it is not an accident that there are steering wheels in the car.

The story has an interesting opening sentence: "Users of LimeWire ... might be making their private financial and personal information vulnerable." This is like saying that people in cars might be putting their lives at risk by driving on the roads.

By the time we get to the end of the story, "...
personal data is there for everyone to find."
So which is it? Is it there for everyone to find, or is it only that it might be possible to find it, if the user elects to share it.

As you can see, the story has flaws and holes, and LimeWire is only doing what it is supposed to be doing. File sharing programs share files; irresponsible users share the wrong files.

Next week WFAA TV will be running a story on a dangerous new security flaw in Microsoft Word: it allows you to change and print documents! Imagine the security implications: anyone who prints out the document can read it, even if they aren't logged in. Shock! Horror!

Limewire File sharing program exposes hard drives | digg story

No comments: