An Indepth Look at AllPeers

“Fast and easy” “Secure file-sharing” “The killer Darknet Application” “It’s P2P without uploading!” “Open source was never easier” “Drag and drop, it’s easy!” One may wonder what the fuss is with AllPeers.

Note: This is an article I wrote that was published elsewhere first. It has been republished here for archival purposes

AllPeers came onto the scene for both FireFox fans and P2P fans. While looking through reviews may make it look like nothing could come close to something ‘so great’ with this application, it makes sceptics worry. Could the sceptics be right? Slyck dives into the media attention and the application itself to find out what is really going on.

Perhaps the best way to start is to look at the media itself. Simply entering AllPeers in Google will reveal a mountain of media attention in the main search page (while 6 as of this writing pop up in the news search.) A lot of the claims that surface can seem not only unique, but sometimes even outrageous. Are all the claims true? Slyck discovered that this is not the case.

First, there’s something that wasn’t exactly mentioned in other reports. What happens when you install AllPeers, but choose to register later? Every window opened manually including the first one asks you to either accept the terms and conditions or asks for user name, password and an e-mail address (if you accept the terms and conditions.) Every time a user clicks on a link that makes a new window, the content is replaced with another reminder window to register, rendering browsing compromised.

One article reported, “supporters of the service proclaimed that it would protect its users from lawsuits from the RIAA and MPAA due to its Darknet architecture.” AllPeers does use a typical Darknet structure where users will invite each other and share files. In theory, this claim is true that AllPeers is a Darknet application as referred to in the Wikipedia entry.

Another article noted the following, “Cedric Maloux told p2pnet Allpeers would be open-source.” Currently, AllPeers is open to public use. Unfortunately, Slyck was unable to locate the source-code, therefore rendering AllPeers to be closed source for the time being. However, Mozilla FireFox is open source and this is an extension to the open source browser, but the extension itself is currently closed source.

One claim was that comes straight off the home page is as follows, “No Uploads.” Slyck learned upon testing the application that this is a false claim. Users can very easily share with this application and users may find themselves uploading more then they thought. The reason there is the appearance of no uploading is because there is no indication to let the user know that a file is being uploaded. When testing this application by sharing a picture off of a local machine, the other tester noted that the file is receivable by downloading the picture. Therefore, the user on the host machine has indeed uploaded the file.

So what about these pictures that are online already which can be dragged and dropped to other users using AllPeers? It appears that the pictures are actually also locally being uploaded in full. If a user clicks onto their own name in the AllPeers window, then clicks on the shared files and clicks on the full view of the picture, the address bar vaguely reveals the location of the picture. The location of this shared point, unlike the download directory which is found on the desktop, is buried deep within the system. On the Slyck test, the shared file which was downloaded off of the net can be located at the following: C:\Documents and Settings\USERNAME\Application Data\Mozilla\FireFox\Profiles\x44p8xw1.default\allpeers\downloads\ALLPEERS_USERNAME
The potential of this is the fact that this masks the concept that the user was actually aware that he or she has uploaded in the first place. In fact, one could falsely assume the other user was downloading directly from the website and sharing a direct link, but in reality, both points participated in the transfer of the picture in its entirety.

While hype abounds in other media sources, one aspect that has been greatly underreported was the business side of things. As of March 6, 2006, two investing companies known as Mangrove Capital Partners and Index Ventures invested in AllPeers. How much money was invested in AllPeers? There is no evidence to suggest any fixed dollar amount. However, IndexVentures states, “Our typical investment size is $3 to $10 million although we sometimes invest as little as $500,000 in seed rounds. We seek to invest $5 to $20 million in a company over the life of an investment.” Judging by this quote, AllPeers may have received 500,000 dollars and will receive more to as much as 3 million dollars. Chances are, this investment company alone would seek to recoup that money in some way. Therefore, IndexVentures is likely to expect this application to make at least that much money. Mangrove, on the other hand, did not specify what the rough dollar amounts are when they make an investment, though it can be assumed that the investment size may be roughly as great.

How does AllPeers Inc. expect to make upwards of 3 million dollars? It isn’t exactly clear, but according to 2 questions in their FAQ, “How can AllPeers be free?
Because we can. We are using P2P technology which means it costs very little to run.” and “How do you intend to make money?
By allowing people to sell or buy their content under their own terms. But this is not for just now. We are building AllPeers one step at a time.”

Another interesting bit of information that appears in the FAQ is the following, “How secure is it?
All communications are encrypted using industry standard SSL and you can only share with people you know.”

As mentioned, AllPeers gets the user to download things such as images to the local hard drive, then send it via AllPeers which, as stated, is encrypted. AllPeers does not say if the retrieval of the data from the webpage is encrypted, so it can be assumed that the original gathering of the data is unsecured unless 3rd party extensions are used (such as FoxyProxy to keep the user anonymous.)

As for what SSL is, Slyck’s very own LordFoul explains, “SSL could be used as an encryption method for P2P, but SSL is used for TCP packet exchange only though UDP could be addressed in other ways. Keep in mind SSL doesn’t use username/password authentication it relies upon the trust between the public and private key exchange. SSL authorities such as Verisign are enlisted in the real world to guarantee the integrity of said server keys. SSL’s primary purpose is to create a secure tunnel through encryption into which no one can see except for the client and the server; this however doesn’t obscure your identity from the server or vice-versa.” He also noted the following list of free open source SSL examples: SSL Proxy, Stunnel, SSL Wrap, and The Open SSL Project.

Another thing about AllPeers is that there might be an issue with being obtrusive. Those who have used FireFox without any extensions will note that AllPeers puts in an extra window on the left side of the browser, thereby shrinking the browsing window. Another point to notice is the extra AllPeers toolbar which runs under the address bar. It has the reminders of ability to ‘share’ and ‘transfer’ a file. It also has a button for the AllPeers homepage (which can be easily found via a simple web search) as well as a ‘Support’ button.

AllPeers adds an option in Tools which reveals two options. One is to view logs (which when opened in Notepad reveals long lines of code which is likely difficult to read) and an option to switch off (on by default) the option to minimize FireFox to system tray. The system tray reveals an AllPeers icon which, even if you closed down all FireFox windows, keeps FireFox activated (which could cause confusion if a user wants to install other extensions and needs to restart their browser.)

The bottom of the browser is also altered. The lower right hand corner reveals whether AllPeers is connected or not. It will also notify the user in a second icon next to the AllPeers connection notification that a new file is being sent.

The last aspect noticeable on installation in this test was the new icon in the main taskbar whose purpose is to re-open or close the AllPeers window on the left side of the browser window. Generally, some users may find all this obtrusive even though it appears to be used to demonstrate functionality.

The AllPeers extension totals 4MB which is so big as far as extensions go, there “were a few issues with getting up on the Firefox extension site since AllPeers is one of the first larger extensions to be hosted there.” (source)

Lost in all of this is the BitTorrent implementation. Sure, there is a Copyright notice on the home-page, but how does BitTorrent come in to play? Supposedly (as Slyck didn’t get a chance to test this,) when a user is going to share a movie with more then one person, it’ll behave like BitTorrent and the receiving users will help upload pieces of the file. When Slyck tested with the picture, it appeared to download from beginning of the file to the end of the file.

Also found on the home-page under the privacy policy is what information they collect (under the Privacy Policy which is found below the copyright notices away from the other website options.) According to their privacy policy, “2.0 INFORMATION THAT WE COLLECT.
When you register to use AllPeers, we collect the following information from you, and you need to give it to us in order to use our service: (i) username, (ii) password and (iii) email address. We do not look at the content of any message or files you share through our service. However, we sometimes collect anonymous information about your use of AllPeers. We need this information in order to operate AllPeers, but we do not share it with anyone. If we ever did contemplate sharing it, we would ask your permission first. We will use your information to authenticate your use of the service. Occasionally, we may use your email address to send you notices directly regarding AllPeers.

We feel very strongly about keeping the information you give us confidential. We will not share the information we collect from you with any third party. We do not store your password. If we do ever contemplate doing so, we would send you notice and ask your permission first.”

Essentially, they state that while they collect anonymous information about you, they won’t sell or share the information with third parties unless you give them permission.

Finally, is AllPeers a centralised or decentralised service? The answer is AllPeers is centralized. According to the blog, “Some people have experienced problems creating their username after installing the extension. Please do not despair and try again later. Our registration server is suffering from time to time from the rush. Apologies for that. We are looking into this.” Essentially, there is a main AllPeer[s] server which appears to handle registered users (and perhaps authentication for use of AllPeers) If the main server were shut down, it is possible that the AllPeers service would be interrupted.

Please note that AllPeers has written a response to this article.

Drew Wilson on Twitter: @icecube85 and Google+.

1 Trackback or Pingback

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: