Can I be sure the download isn't bad
BitTorrent checks downloaded parts using hashing. After download is complete, it will also be completely verified. Each file you download through BitTorrent is checked against hash data contained in a torrent to confirm it's integrity. As long as you download from a source that is dependable, there is no real problems with fake files.
A hash is an unique identifier generated from the bits of a file, used to verify that a file is authentic. You could think of it as a files own personal fingerprint. While hashes verify files. and grant a greater level of accuracy, they are not failsafe. In some other p2p networks they have been totally compromised.
Info on Hash protocols (Not needed for those just wanting to download)
The information below is simply a description/detail oriented section on hashes and security, it is for the curious, If all you want it to make sure your files are ok, then relax the world is fine. But for those who just want to understand it all a little better, read away!
The BitTorrent protocol use the US Secure Hash Algorithm 1 (SHA-1). SHA-1 is considered to be the successor to MD5 (Message-Digest algorithm 5), an older and widely-used hash protocol. The SHA algorithms were designed by the National Security Agency (NSA) and published as a US government standard.
In February 2005, it was claimed that SHA-1 was compromised by experts in the field of cryptology. Read about it here. The authors assert that their attacks can find weaknesses in the full version of SHA-1.
This does not mean that the attack can be practically exploited. It has been suggested that these weaknesses could be exploited using "supercomputers". It might also be possible for exploitation by a relatively large organization willing to invest months of PC idle time on a large scale. The practicality of this is at the present unclear.
Check out this MD5 and SHA-1 generator
For example to validate a password, when you originally set a password, the hash of the password is stored in a database. When you return to the website and are prompted to enter your password, what you enter is then hashed and compared to the hash result stored in the database when you originally set it, and if the hashed versions match, the password is authenticated. However the original password cannot be obtained from the stored hash, it isn't encryption it cannot be decrypted back to the original text, it is a "one-way" trip.
Since SHA-1 is opensource, it is available for Download here. 3DES RC4 AES MD5 and the more secure SHA-2 are also available for download at the link.